[讨论]相当复杂的破解。请高手求解-付费问答-看雪-安全社区|安全招聘|kanxue.com

[旧帖] [讨论]相当复杂的破解。请高手求解 0.00雪花

发表于: 2010-12-1 21:33 2384

[旧帖] [讨论]相当复杂的破解。请高手求解 0.00雪花

杨氏

2010-12-1 21:33

2384

半个月前本人下载了一个软件。用起来也觉的很好用，所以也是问了软件的作者想购买此软件的。但是人家不卖。原因是因为这个软件说是免费的。但是每天要用的时候你点击后要密码你才能进去。要不进去你也用不了里面的功能。但是我没有时间天天能上网。又想用这好软件。但人家不卖，所以才想到破解。我对电脑也是一个门外汉。上网几天，天天都是在查怎么样用Ollydbg来破解这个人就。文章看了不少。但是怎么样还是攻不下来。所以请各位高手指点指点。下面是代码请高手看看。
0040420F >  55             PUSH EBP
00404210 8BEC          MOV EBP,ESP
00404212 83E4 F8       AND ESP,FFFFFFF8
00404215 81EC F40C0000 SUB ESP,0CF4
0040421B 53             PUSH EBX
0040421C 56             PUSH ESI
0040421D 57             PUSH EDI
0040421E E8 82FBFFFF    CALL 双色球过.00403DA5
00404223 8B35 0CC04100 MOV ESI,DWORD PTR DS:[<&KERNEL32.GetTick>; kernel32.GetTickCount
00404229 FFD6          CALL ESI
0040422B 83E0 11       AND EAX,11
0040422E BB 10504000    MOV EBX,双色球过.00405010
00404233 3D 11010000    CMP EAX,111
00404238 0F84 21040000 JE 双色球过.0040465F
0040423E FFD6          CALL ESI
00404240 A3 0C504000    MOV DWORD PTR DS:[40500C],EAX
00404245 E8 4DFCFFFF    /CALL 双色球过.00403E97
0040424A 8BC8          |MOV ECX,EAX
0040424C 2B0D 0C504000 |SUB ECX,DWORD PTR DS:[40500C]
00404252 6A 03          |PUSH 3
00404254 33D2          |XOR EDX,EDX
00404256 8BC1          |MOV EAX,ECX
00404258 5E             |POP ESI
00404259 F7F6          |DIV ESI
0040425B F7C1 0080FFFF |TEST ECX,FFFF8000
00404261 0F85 A9020000 |JNZ 双色球过.00404510
00404267 33C0          |XOR EAX,EAX
00404269 33FF          |XOR EDI,EDI
0040426B 89BC24 E4080000 |MOV DWORD PTR SS:[ESP+8E4],EDI
00404272 66:898424 D0040>|MOV WORD PTR SS:[ESP+4D0],AX
0040427A 89BC24 CC040000 |MOV DWORD PTR SS:[ESP+4CC],EDI
00404281 66:898424 B8000>|MOV WORD PTR SS:[ESP+B8],AX
00404289 E8 09FCFFFF    |CALL 双色球过.00403E97
0040428E 8BC8          |MOV ECX,EAX
00404290 2B0D 0C504000 |SUB ECX,DWORD PTR DS:[40500C]
00404296 33D2          |XOR EDX,EDX
00404298 8BC1          |MOV EAX,ECX
0040429A F7F6          |DIV ESI
0040429C F7C1 0080FFFF |TEST ECX,FFFF8000
004042A2 0F85 4D010000 |JNZ 双色球过.004043F5
004042A8 68 D8104000    |PUSH 双色球过.004010D8                   ; UNICODE "_xvm_mem_process_info_0x"
004042AD 8D8424 EC080000 |LEA EAX,DWORD PTR SS:[ESP+8EC]
004042B4 E8 6A070000    |CALL 双色球过.00404A23
004042B9 6A 10          |PUSH 10
004042BB FF15 18C04100 |CALL DWORD PTR DS:[<&KERNEL32.GetCurren>; kernel32.GetCurrentProcessId
004042C1 8D8C24 EC080000 |LEA ECX,DWORD PTR SS:[ESP+8EC]
004042C8 E8 9A060000    |CALL 双色球过.00404967
004042CD 8B35 1CC04100 |MOV ESI,DWORD PTR DS:[<&KERNEL32.OpenFi>; kernel32.OpenFileMappingW
004042D3 8BC1          |MOV EAX,ECX
004042D5 50             |PUSH EAX
004042D6 57             |PUSH EDI
004042D7 6A 04          |PUSH 4
004042D9 897C24 40    |MOV DWORD PTR SS:[ESP+40],EDI
004042DD 897C24 44    |MOV DWORD PTR SS:[ESP+44],EDI
004042E1 FFD6          |CALL ESI
004042E3 894424 14    |MOV DWORD PTR SS:[ESP+14],EAX
004042E7 FF15 20C04100 |CALL DWORD PTR DS:[<&KERNEL32.GetLastEr>; ntdll.RtlGetLastWin32Error
004042ED 894424 10    |MOV DWORD PTR SS:[ESP+10],EAX
004042F1 397C24 14    |CMP DWORD PTR SS:[ESP+14],EDI
004042F5 0F84 AC000000 |JE 双色球过.004043A7
004042FB 57             |PUSH EDI
004042FC 57             |PUSH EDI
004042FD 57             |PUSH EDI
004042FE 6A 04          |PUSH 4
00404300 FF7424 24    |PUSH DWORD PTR SS:[ESP+24]
00404304 FF15 24C04100 |CALL DWORD PTR DS:[<&KERNEL32.MapViewOf>; kernel32.MapViewOfFile
0040430A 894424 34    |MOV DWORD PTR SS:[ESP+34],EAX
0040430E 3BC7          |CMP EAX,EDI
00404310 0F84 46040000 |JE 双色球过.0040475C
00404316 68 B0114000    |PUSH 双色球过.004011B0                   ; UNICODE "_xvm_mem_application_info_0x"
0040431B 8D8424 EC080000 |LEA EAX,DWORD PTR SS:[ESP+8EC]
00404322 E8 E0060000    |CALL 双色球过.00404A07
00404327 8B4424 34    |MOV EAX,DWORD PTR SS:[ESP+34]
0040432B 8B80 10020000 |MOV EAX,DWORD PTR DS:[EAX+210]
00404331 6A 10          |PUSH 10
00404333 8D8C24 EC080000 |LEA ECX,DWORD PTR SS:[ESP+8EC]
0040433A E8 28060000    |CALL 双色球过.00404967
0040433F FF7424 14    |PUSH DWORD PTR SS:[ESP+14]
00404343 FF15 28C04100 |CALL DWORD PTR DS:[<&KERNEL32.CloseHand>; kernel32.CloseHandle
00404349 8D8424 E8080000 |LEA EAX,DWORD PTR SS:[ESP+8E8]
00404350 50             |PUSH EAX
00404351 57             |PUSH EDI
00404352 6A 04          |PUSH 4
00404354 FFD6          |CALL ESI
00404356 8B35 20C04100 |MOV ESI,DWORD PTR DS:[<&KERNEL32.GetLas>; ntdll.RtlGetLastWin32Error
0040435C 894424 14    |MOV DWORD PTR SS:[ESP+14],EAX
00404360 FFD6          |CALL ESI
00404362 894424 10    |MOV DWORD PTR SS:[ESP+10],EAX
00404366 397C24 14    |CMP DWORD PTR SS:[ESP+14],EDI
0040436A 0F84 15040000 |JE 双色球过.00404785
00404370 57             |PUSH EDI
00404371 57             |PUSH EDI
00404372 57             |PUSH EDI
00404373 6A 04          |PUSH 4
00404375 FF7424 24    |PUSH DWORD PTR SS:[ESP+24]
00404379 FF15 24C04100 |CALL DWORD PTR DS:[<&KERNEL32.MapViewOf>; kernel32.MapViewOfFile
0040437F 894424 38    |MOV DWORD PTR SS:[ESP+38],EAX
00404383 3BC7          |CMP EAX,EDI
00404385 0F84 F1030000 |JE 双色球过.0040477C
0040438B 83C0 0C       |ADD EAX,0C
0040438E 50             |PUSH EAX
0040438F 8D8424 D4040000 |LEA EAX,DWORD PTR SS:[ESP+4D4]
00404396 E8 6C060000    |CALL 双色球过.00404A07
0040439B FF7424 14    |PUSH DWORD PTR SS:[ESP+14]
0040439F FF15 28C04100 |CALL DWORD PTR DS:[<&KERNEL32.CloseHand>; kernel32.CloseHandle
004043A5 EB 30          |JMP SHORT 双色球过.004043D7
004043A7 83F8 02       |CMP EAX,2
004043AA 0F85 3E050000 |JNZ 双色球过.004048EE
004043B0 68 04010000    |PUSH 104
004043B5 8D8424 D4040000 |LEA EAX,DWORD PTR SS:[ESP+4D4]
004043BC 50             |PUSH EAX
004043BD 57             |PUSH EDI
004043BE FF15 10C04100 |CALL DWORD PTR DS:[<&KERNEL32.GetModule>; kernel32.GetModuleFileNameW
004043C4 8D8C24 D0040000 |LEA ECX,DWORD PTR SS:[ESP+4D0]
004043CB E8 86050000    |CALL 双色球过.00404956
004043D0 898424 E4080000 |MOV DWORD PTR SS:[ESP+8E4],EAX
004043D7 E8 BBFAFFFF    |CALL 双色球过.00403E97
004043DC 8BC8          |MOV ECX,EAX
004043DE 2B0D 0C504000 |SUB ECX,DWORD PTR DS:[40500C]
004043E4 6A 03          |PUSH 3
004043E6 33D2          |XOR EDX,EDX
004043E8 8BC1          |MOV EAX,ECX
004043EA 5E             |POP ESI
004043EB F7F6          |DIV ESI
004043ED F7C1 0080FFFF |TEST ECX,FFFF8000
004043F3 74 07          |JE SHORT 双色球过.004043FC
004043F5 3BD7          |CMP EDX,EDI
004043F7 E9 16010000    |JMP 双色球过.00404512
004043FC 8D8424 D0040000 |LEA EAX,DWORD PTR SS:[ESP+4D0]
00404403 50             |PUSH EAX
00404404 8DB424 BC000000 |LEA ESI,DWORD PTR SS:[ESP+BC]
0040440B E8 BD050000    |CALL 双色球过.004049CD
00404410 68 28124000    |PUSH 双色球过.00401228                   ; UNICODE ", "
00404415 E8 B3050000    |CALL 双色球过.004049CD
0040441A 57             |PUSH EDI
0040441B 57             |PUSH EDI
0040441C 6A 03          |PUSH 3
0040441E 57             |PUSH EDI
0040441F 6A 07          |PUSH 7
00404421 68 00000080    |PUSH 80000000
00404426 8D8424 E8040000 |LEA EAX,DWORD PTR SS:[ESP+4E8]
0040442D 50             |PUSH EAX
0040442E FF15 2CC04100 |CALL DWORD PTR DS:[<&KERNEL32.CreateFil>; kernel32.CreateFileW
00404434 894424 18    |MOV DWORD PTR SS:[ESP+18],EAX
00404438 83F8 FF       |CMP EAX,-1
0040443B 0F84 4E030000 |JE 双色球过.0040478F
00404441 E8 98F9FFFF    |CALL 双色球过.00403DDE
00404446 85C0          |TEST EAX,EAX
00404448  ^ 0F85 F7FDFFFF \JNZ 双色球过.00404245
0040444E 33FF          XOR EDI,EDI
00404450 57             PUSH EDI
00404451 57             PUSH EDI
00404452 57             PUSH EDI
00404453 6A 02          PUSH 2
00404455 57             PUSH EDI
00404456 FF7424 2C    PUSH DWORD PTR SS:[ESP+2C]
0040445A FF15 30C04100 CALL DWORD PTR DS:[<&KERNEL32.CreateFile>; kernel32.CreateFileMappingW
00404460 894424 20    MOV DWORD PTR SS:[ESP+20],EAX
00404464 3BC7          CMP EAX,EDI
00404466 0F84 30030000 JE 双色球过.0040479C
0040446C 8B35 24C04100 MOV ESI,DWORD PTR DS:[<&KERNEL32.MapView>; kernel32.MapViewOfFile
00404472 68 00100000    PUSH 1000
00404477 57             PUSH EDI
00404478 57             PUSH EDI
00404479 6A 04          PUSH 4
0040447B 50             PUSH EAX
0040447C FFD6          CALL ESI
0040447E 894424 1C    MOV DWORD PTR SS:[ESP+1C],EAX
00404482 3BC7          CMP EAX,EDI
00404484 0F84 1F030000 JE 双色球过.004047A9
0040448A 8BF8          MOV EDI,EAX
0040448C E8 83F9FFFF    CALL 双色球过.00403E14
00404491 FF7424 1C    PUSH DWORD PTR SS:[ESP+1C]
00404495 8BF8          MOV EDI,EAX
00404497 897C24 34    MOV DWORD PTR SS:[ESP+34],EDI
0040449B FF15 34C04100 CALL DWORD PTR DS:[<&KERNEL32.UnmapViewO>; kernel32.UnmapViewOfFile
004044A1 8D8424 84000000 LEA EAX,DWORD PTR SS:[ESP+84]
004044A8 50             PUSH EAX
004044A9 FF7424 1C    PUSH DWORD PTR SS:[ESP+1C]
004044AD FF15 38C04100 CALL DWORD PTR DS:[<&KERNEL32.GetFileInf>; kernel32.GetFileInformationByHandle
004044B3 85C0          TEST EAX,EAX
004044B5 0F84 FB020000 JE 双色球过.004047B6
004044BB 33C0          XOR EAX,EAX
004044BD 398424 A4000000 CMP DWORD PTR SS:[ESP+A4],EAX
004044C4 75 0D          JNZ SHORT 双色球过.004044D3
004044C6 39BC24 A8000000 CMP DWORD PTR SS:[ESP+A8],EDI
004044CD 0F86 7C040000 JBE 双色球过.0040494F
004044D3 81C7 00100000 ADD EDI,1000
004044D9 57             PUSH EDI
004044DA 50             PUSH EAX
004044DB 50             PUSH EAX
004044DC 6A 04          PUSH 4
004044DE FF7424 30    PUSH DWORD PTR SS:[ESP+30]
004044E2 FFD6          CALL ESI
004044E4 8BF0          MOV ESI,EAX
004044E6 897424 1C    MOV DWORD PTR SS:[ESP+1C],ESI
004044EA 85F6          TEST ESI,ESI
004044EC 0F84 D1020000 JE 双色球过.004047C3
004044F2 E8 A0F9FFFF    CALL 双色球过.00403E97
004044F7 8BC8          MOV ECX,EAX
004044F9 2B0D 0C504000 SUB ECX,DWORD PTR DS:[40500C]
004044FF 6A 03          PUSH 3
00404501 33D2          XOR EDX,EDX
00404503 8BC1          MOV EAX,ECX
00404505 5F             POP EDI
00404506 F7F7          DIV EDI
00404508 F7C1 0080FFFF TEST ECX,FFFF8000
0040450E 74 16          JE SHORT 双色球过.00404526
00404510 85D2          TEST EDX,EDX
00404512 0F84 68030000 JE 双色球过.00404880
00404518 83FA 01       CMP EDX,1
0040451B  ^ 0F84 24FDFFFF JE 双色球过.00404245
00404521 E9 39010000    JMP 双色球过.0040465F
00404526 8BFE          MOV EDI,ESI
00404528 E8 E7F8FFFF    CALL 双色球过.00403E14
0040452D 03C6          ADD EAX,ESI
0040452F 8B08          MOV ECX,DWORD PTR DS:[EAX]
00404531 894424 10    MOV DWORD PTR SS:[ESP+10],EAX
00404535 8D70 04       LEA ESI,DWORD PTR DS:[EAX+4]
00404538 81F9 78766D00 CMP ECX,6D7678
0040453E 0F85 8C020000 JNZ 双色球过.004047D0
00404544 8B06          MOV EAX,DWORD PTR DS:[ESI]
00404546 83C6 04       ADD ESI,4
00404549 83F8 01       CMP EAX,1
0040454C 0F85 94020000 JNZ 双色球过.004047E6
00404552 8B06          MOV EAX,DWORD PTR DS:[ESI]
00404554 8BF8          MOV EDI,EAX
00404556 69FF 05840808 IMUL EDI,EDI,8088405
0040455C 83C6 04       ADD ESI,4
0040455F 8B0E          MOV ECX,DWORD PTR DS:[ESI]
00404561 47             INC EDI
00404562 8BD7          MOV EDX,EDI
00404564 33D0          XOR EDX,EAX
00404566 83C6 04       ADD ESI,4
00404569 3BD1          CMP EDX,ECX
0040456B 0F85 8B020000 JNZ 双色球过.004047FC
00404571 8B0E          MOV ECX,DWORD PTR DS:[ESI]
00404573 8BC7          MOV EAX,EDI
00404575 69C0 05840808 IMUL EAX,EAX,8088405
0040457B 40             INC EAX
0040457C 8BD0          MOV EDX,EAX
0040457E 33D7          XOR EDX,EDI
00404580 83C6 04       ADD ESI,4
00404583 3BD1          CMP EDX,ECX
00404585 0F85 87020000 JNZ 双色球过.00404812
0040458B 8B0E          MOV ECX,DWORD PTR DS:[ESI]
0040458D 69C0 05840808 IMUL EAX,EAX,8088405
00404593 FF7424 1C    PUSH DWORD PTR SS:[ESP+1C]
00404597 40             INC EAX
00404598 33C8          XOR ECX,EAX
0040459A 69C0 05840808 IMUL EAX,EAX,8088405
004045A0 83C6 04       ADD ESI,4
004045A3 40             INC EAX
004045A4 3306          XOR EAX,DWORD PTR DS:[ESI]
004045A6 894C24 2C    MOV DWORD PTR SS:[ESP+2C],ECX
004045AA 894424 28    MOV DWORD PTR SS:[ESP+28],EAX
004045AE FF15 34C04100 CALL DWORD PTR DS:[<&KERNEL32.UnmapViewO>; kernel32.UnmapViewOfFile
004045B4 FF7424 20    PUSH DWORD PTR SS:[ESP+20]
004045B8 FF15 28C04100 CALL DWORD PTR DS:[<&KERNEL32.CloseHandl>; kernel32.CloseHandle
004045BE 33C0          XOR EAX,EAX
004045C0 50             PUSH EAX
004045C1 50             PUSH EAX
004045C2 50             PUSH EAX
004045C3 6A 08          PUSH 8
004045C5 50             PUSH EAX
004045C6 FF7424 2C    PUSH DWORD PTR SS:[ESP+2C]
004045CA FF15 30C04100 CALL DWORD PTR DS:[<&KERNEL32.CreateFile>; kernel32.CreateFileMappingW
004045D0 894424 20    MOV DWORD PTR SS:[ESP+20],EAX
004045D4 85C0          TEST EAX,EAX
004045D6 0F84 4C020000 JE 双色球过.00404828
004045DC 2B7424 10    SUB ESI,DWORD PTR SS:[ESP+10]
004045E0 8B4C24 24    MOV ECX,DWORD PTR SS:[ESP+24]
004045E4 83C6 04       ADD ESI,4
004045E7 03CE          ADD ECX,ESI
004045E9 034C24 30    ADD ECX,DWORD PTR SS:[ESP+30]
004045ED 897424 3C    MOV DWORD PTR SS:[ESP+3C],ESI
004045F1 51             PUSH ECX
004045F2 6A 00          PUSH 0
004045F4 6A 00          PUSH 0
004045F6 6A 01          PUSH 1
004045F8 50             PUSH EAX
004045F9 FF15 24C04100 CALL DWORD PTR DS:[<&KERNEL32.MapViewOfF>; kernel32.MapViewOfFile
004045FF 33C9          XOR ECX,ECX
00404601 894424 1C    MOV DWORD PTR SS:[ESP+1C],EAX
00404605 3BC1          CMP EAX,ECX
00404607 0F84 2B020000 JE 双色球过.00404838
0040460D 8B4424 30    MOV EAX,DWORD PTR SS:[ESP+30]
00404611 03C6          ADD EAX,ESI
00404613 034424 1C    ADD EAX,DWORD PTR SS:[ESP+1C]
00404617 8B7424 24    MOV ESI,DWORD PTR SS:[ESP+24]
0040461B 894424 2C    MOV DWORD PTR SS:[ESP+2C],EAX
0040461F 3BF1          CMP ESI,ECX
00404621 76 17          JBE SHORT 双色球过.0040463A
00404623 69FF FD430300 /IMUL EDI,EDI,343FD
00404629 81C7 C39E2600 |ADD EDI,269EC3
0040462F 8BD7          |MOV EDX,EDI
00404631 C1EA 10       |SHR EDX,10
00404634 3010          |XOR BYTE PTR DS:[EAX],DL
00404636 40             |INC EAX
00404637 4E             |DEC ESI
00404638  ^ 75 E9          \JNZ SHORT 双色球过.00404623
0040463A 8D7424 4C    LEA ESI,DWORD PTR SS:[ESP+4C]
0040463E 894C24 6C    MOV DWORD PTR SS:[ESP+6C],ECX
00404642 894C24 70    MOV DWORD PTR SS:[ESP+70],ECX
00404646 894C24 74    MOV DWORD PTR SS:[ESP+74],ECX
0040464A 894C24 50    MOV DWORD PTR SS:[ESP+50],ECX
0040464E 894C24 4C    MOV DWORD PTR SS:[ESP+4C],ECX
00404652 E8 D9F6FFFF    CALL 双色球过.00403D30
00404657 85C0          TEST EAX,EAX
00404659 0F85 E9010000 JNZ 双色球过.00404848
0040465F 6A 04          /PUSH 4
00404661 68 00100000    |PUSH 1000
00404666 FF7424 30    |PUSH DWORD PTR SS:[ESP+30]
0040466A 6A 00          |PUSH 0
0040466C FF15 3CC04100 |CALL DWORD PTR DS:[<&KERNEL32.VirtualAl>; kernel32.VirtualAlloc
00404672 8BF0          |MOV ESI,EAX
00404674 E8 1EF8FFFF    |CALL 双色球过.00403E97
00404679 8BC8          |MOV ECX,EAX
0040467B 2B0D 0C504000 |SUB ECX,DWORD PTR DS:[40500C]
00404681 6A 03          |PUSH 3
00404683 33D2          |XOR EDX,EDX
00404685 8BC1          |MOV EAX,ECX
00404687 5F             |POP EDI
00404688 F7F7          |DIV EDI
0040468A F7C1 0080FFFF |TEST ECX,FFFF8000
00404690 74 12          |JE SHORT 双色球过.004046A4
00404692 85D2          |TEST EDX,EDX
00404694 0F84 E6010000 |JE 双色球过.00404880
0040469A 83FA 01       |CMP EDX,1
0040469D  ^ 75 C0          \JNZ SHORT 双色球过.0040465F
0040469F  ^ E9 A1FBFFFF    JMP 双色球过.00404245
004046A4 8B4424 24    MOV EAX,DWORD PTR SS:[ESP+24]
004046A8 894424 50    MOV DWORD PTR SS:[ESP+50],EAX
004046AC 8B4424 2C    MOV EAX,DWORD PTR SS:[ESP+2C]
004046B0 894424 4C    MOV DWORD PTR SS:[ESP+4C],EAX
004046B4 8B4424 28    MOV EAX,DWORD PTR SS:[ESP+28]
004046B8 894424 5C    MOV DWORD PTR SS:[ESP+5C],EAX
004046BC 8D4424 4C    LEA EAX,DWORD PTR SS:[ESP+4C]
004046C0 50             PUSH EAX
004046C1 897424 5C    MOV DWORD PTR SS:[ESP+5C],ESI
004046C5 E8 76E7FFFF    CALL 双色球过.00402E40
004046CA 59             POP ECX
004046CB 83F8 01       CMP EAX,1
004046CE 0F85 8A010000 JNZ 双色球过.0040485E
004046D4 FF7424 1C    PUSH DWORD PTR SS:[ESP+1C]
004046D8 FF15 34C04100 CALL DWORD PTR DS:[<&KERNEL32.UnmapViewO>; kernel32.UnmapViewOfFile
004046DE FF7424 20    PUSH DWORD PTR SS:[ESP+20]
004046E2 FF15 28C04100 CALL DWORD PTR DS:[<&KERNEL32.CloseHandl>; kernel32.CloseHandle
004046E8 E8 AAF7FFFF    CALL 双色球过.00403E97
004046ED 8BC8          MOV ECX,EAX
004046EF 2B0D 0C504000 SUB ECX,DWORD PTR DS:[40500C]
004046F5 6A 03          PUSH 3
004046F7 33D2          XOR EDX,EDX
004046F9 8BC1          MOV EAX,ECX
004046FB 5F             POP EDI
004046FC F7F7          DIV EDI
004046FE F7C1 0080FFFF TEST ECX,FFFF8000
00404704  ^ 0F85 06FEFFFF JNZ 双色球过.00404510
0040470A 56             PUSH ESI
0040470B E8 4EF8FFFF    CALL 双色球过.00403F5E
00404710 C70424 00800000 MOV DWORD PTR SS:[ESP],8000
00404717 FF7424 2C    PUSH DWORD PTR SS:[ESP+2C]
0040471B 8BF8          MOV EDI,EAX
0040471D 56             PUSH ESI
0040471E FF15 40C04100 CALL DWORD PTR DS:[<&KERNEL32.VirtualFre>; kernel32.VirtualFree
00404724 85FF          TEST EDI,EDI
00404726 0F84 00020000 JE 双色球过.0040492C
0040472C 57             PUSH EDI
0040472D E8 2FF7FFFF    CALL 双色球过.00403E61
00404732 59             POP ECX
00404733 57             PUSH EDI
00404734 E8 8BF7FFFF    CALL 双色球过.00403EC4
00404739 59             POP ECX
0040473A 894424 10    MOV DWORD PTR SS:[ESP+10],EAX
0040473E 85C0          TEST EAX,EAX
00404740 0F85 2E010000 JNZ 双色球过.00404874
00404746 68 20114000    PUSH 双色球过.00401120                      ; UNICODE "There has been an error starting this virtual appliance.  Error code: "
0040474B 8BC3          MOV EAX,EBX
0040474D E8 B5020000    CALL 双色球过.00404A07
00404752 68 5C134000    PUSH 双色球过.0040135C                      ; UNICODE "0x0006"
00404757 E9 C9010000    JMP 双色球过.00404925
0040475C FF15 20C04100 CALL DWORD PTR DS:[<&KERNEL32.GetLastErr>; ntdll.RtlGetLastWin32Error
00404762 68 0C114000    PUSH 双色球过.0040110C                      ; UNICODE "0x00020: "
00404767 8DB424 BC000000 LEA ESI,DWORD PTR SS:[ESP+BC]
0040476E 8BF8          MOV EDI,EAX
00404770 E8 58020000    CALL 双色球过.004049CD
00404775 8BC7          MOV EAX,EDI
00404777 E9 87010000    JMP 双色球过.00404903
0040477C FFD6          CALL ESI
0040477E 68 EC114000    PUSH 双色球过.004011EC                      ; UNICODE "0x00021: "
00404783  ^ EB E2          JMP SHORT 双色球过.00404767
00404785 68 00124000    PUSH 双色球过.00401200                      ; UNICODE "0x00022: "
0040478A E9 64010000    JMP 双色球过.004048F3
0040478F FF15 20C04100 CALL DWORD PTR DS:[<&KERNEL32.GetLastErr>; ntdll.RtlGetLastWin32Error
00404795 68 30124000    PUSH 双色球过.00401230                      ; UNICODE "0x0003: "
0040479A  ^ EB CB          JMP SHORT 双色球过.00404767
0040479C FF15 20C04100 CALL DWORD PTR DS:[<&KERNEL32.GetLastErr>; ntdll.RtlGetLastWin32Error
004047A2 68 7C124000    PUSH 双色球过.0040127C                      ; UNICODE "0x00040: "
004047A7  ^ EB BE          JMP SHORT 双色球过.00404767
004047A9 FF15 20C04100 CALL DWORD PTR DS:[<&KERNEL32.GetLastErr>; ntdll.RtlGetLastWin32Error
004047AF 68 90124000    PUSH 双色球过.00401290                      ; UNICODE "0x00050: "
004047B4  ^ EB B1          JMP SHORT 双色球过.00404767
004047B6 FF15 20C04100 CALL DWORD PTR DS:[<&KERNEL32.GetLastErr>; ntdll.RtlGetLastWin32Error
004047BC 68 A4124000    PUSH 双色球过.004012A4                      ; UNICODE "0x00053: "
004047C1  ^ EB A4          JMP SHORT 双色球过.00404767
004047C3 FF15 20C04100 CALL DWORD PTR DS:[<&KERNEL32.GetLastErr>; ntdll.RtlGetLastWin32Error
004047C9 68 B8124000    PUSH 双色球过.004012B8                      ; UNICODE "0x00051: "
004047CE  ^ EB 97          JMP SHORT 双色球过.00404767
004047D0 68 20114000    PUSH 双色球过.00401120                      ; UNICODE "There has been an error starting this virtual appliance.  Error code: "
004047D5 8BC3          MOV EAX,EBX
004047D7 E8 2B020000    CALL 双色球过.00404A07
004047DC 68 CC124000    PUSH 双色球过.004012CC                      ; UNICODE "0x00E00"
004047E1 E9 3F010000    JMP 双色球过.00404925
004047E6 68 20114000    PUSH 双色球过.00401120                      ; UNICODE "There has been an error starting this virtual appliance.  Error code: "
004047EB 8BC3          MOV EAX,EBX
004047ED E8 15020000    CALL 双色球过.00404A07
004047F2 68 DC124000    PUSH 双色球过.004012DC                      ; UNICODE "0x00E01"
004047F7 E9 29010000    JMP 双色球过.00404925
004047FC 68 20114000    PUSH 双色球过.00401120                      ; UNICODE "There has been an error starting this virtual appliance.  Error code: "
00404801 8BC3          MOV EAX,EBX
00404803 E8 FF010000    CALL 双色球过.00404A07
00404808 68 EC124000    PUSH 双色球过.004012EC                      ; UNICODE "0x00E1"
0040480D E9 13010000    JMP 双色球过.00404925
00404812 68 20114000    PUSH 双色球过.00401120                      ; UNICODE "There has been an error starting this virtual appliance.  Error code: "
00404817 8BC3          MOV EAX,EBX
00404819 E8 E9010000    CALL 双色球过.00404A07
0040481E 68 FC124000    PUSH 双色球过.004012FC                      ; UNICODE "0x00E2"
00404823 E9 FD000000    JMP 双色球过.00404925
00404828 FF15 20C04100 CALL DWORD PTR DS:[<&KERNEL32.GetLastErr>; ntdll.RtlGetLastWin32Error
0040482E 68 0C134000    PUSH 双色球过.0040130C                      ; UNICODE "0x00041: "
00404833  ^ E9 2FFFFFFF    JMP 双色球过.00404767
00404838 FF15 20C04100 CALL DWORD PTR DS:[<&KERNEL32.GetLastErr>; ntdll.RtlGetLastWin32Error
0040483E 68 20134000    PUSH 双色球过.00401320                      ; UNICODE "0x00052: "
00404843  ^ E9 1FFFFFFF    JMP 双色球过.00404767
00404848 68 20114000    PUSH 双色球过.00401120                      ; UNICODE "There has been an error starting this virtual appliance.  Error code: "
0040484D 8BC3          MOV EAX,EBX
0040484F E8 B3010000    CALL 双色球过.00404A07
00404854 68 34134000    PUSH 双色球过.00401334                      ; UNICODE "0x00Z1"
00404859 E9 C7000000    JMP 双色球过.00404925
0040485E 68 20114000    PUSH 双色球过.00401120                      ; UNICODE "There has been an error starting this virtual appliance.  Error code: "
00404863 8BC3          MOV EAX,EBX
00404865 E8 9D010000    CALL 双色球过.00404A07
0040486A 68 44134000    PUSH 双色球过.00401344                      ; UNICODE "0x00Z2"
0040486F E9 B1000000    JMP 双色球过.00404925
00404874 6A 00          PUSH 0
00404876 FF15 44C04100 CALL DWORD PTR DS:[<&KERNEL32.GetModuleH>; kernel32.GetModuleHandleA
0040487C 894424 2C    MOV DWORD PTR SS:[ESP+2C],EAX
00404880 33FF          XOR EDI,EDI
00404882 57             PUSH EDI
00404883 57             PUSH EDI
00404884 57             PUSH EDI
00404885 6A 02          PUSH 2
00404887 57             PUSH EDI
00404888 FF7424 2C    PUSH DWORD PTR SS:[ESP+2C]
0040488C FF15 30C04100 CALL DWORD PTR DS:[<&KERNEL32.CreateFile>; kernel32.CreateFileMappingW
00404892 8BF0          MOV ESI,EAX
00404894 3BF7          CMP ESI,EDI
00404896 75 10          JNZ SHORT 双色球过.004048A8
00404898 FF15 20C04100 CALL DWORD PTR DS:[<&KERNEL32.GetLastErr>; ntdll.RtlGetLastWin32Error
0040489E 68 6C134000    PUSH 双色球过.0040136C                      ; UNICODE "0x00042: "
004048A3  ^ E9 BFFEFFFF    JMP 双色球过.00404767
004048A8 8D4424 40    LEA EAX,DWORD PTR SS:[ESP+40]
004048AC 50             PUSH EAX
004048AD FF7424 1C    PUSH DWORD PTR SS:[ESP+1C]
004048B1 FF15 48C04100 CALL DWORD PTR DS:[<&KERNEL32.GetFileSiz>; kernel32.GetFileSizeEx
004048B7 FF7424 18    PUSH DWORD PTR SS:[ESP+18]
004048BB FF15 28C04100 CALL DWORD PTR DS:[<&KERNEL32.CloseHandl>; kernel32.CloseHandle
004048C1 FF7424 38    PUSH DWORD PTR SS:[ESP+38]
004048C5 8B4C24 28    MOV ECX,DWORD PTR SS:[ESP+28]
004048C9 FF7424 38    PUSH DWORD PTR SS:[ESP+38]
004048CD 8B4424 44    MOV EAX,DWORD PTR SS:[ESP+44]
004048D1 03C1          ADD EAX,ECX
004048D3 034424 38    ADD EAX,DWORD PTR SS:[ESP+38]
004048D7 50             PUSH EAX
004048D8 FF7424 50    PUSH DWORD PTR SS:[ESP+50]
004048DC FF7424 50    PUSH DWORD PTR SS:[ESP+50]
004048E0 56             PUSH ESI
004048E1 FF7424 44    PUSH DWORD PTR SS:[ESP+44]
004048E5 FF5424 2C    CALL DWORD PTR SS:[ESP+2C]
004048E9 83C4 1C       ADD ESP,1C
004048EC EB 61          JMP SHORT 双色球过.0040494F
004048EE 68 14124000    PUSH 双色球过.00401214                      ; UNICODE "0x00023: "
004048F3 8DB424 BC000000 LEA ESI,DWORD PTR SS:[ESP+BC]
004048FA E8 CE000000    CALL 双色球过.004049CD
004048FF 8B4424 10    MOV EAX,DWORD PTR SS:[ESP+10]
00404903 6A 0A          PUSH 0A
00404905 8D8C24 BC000000 LEA ECX,DWORD PTR SS:[ESP+BC]
0040490C E8 56000000    CALL 双色球过.00404967
00404911 68 20114000    PUSH 双色球过.00401120                      ; UNICODE "There has been an error starting this virtual appliance.  Error code: "
00404916 8BC3          MOV EAX,EBX
00404918 E8 EA000000    CALL 双色球过.00404A07
0040491D 8D8424 B8000000 LEA EAX,DWORD PTR SS:[ESP+B8]
00404924 50             PUSH EAX
00404925 8BF3          MOV ESI,EBX
00404927 E8 A1000000    CALL 双色球过.004049CD
0040492C 68 80134000    PUSH 双色球过.00401380                      ; ASCII "MessageBoxW"
00404931 68 8C134000    PUSH 双色球过.0040138C                      ; UNICODE "user32.dll"
00404936 FF15 50C04100 CALL DWORD PTR DS:[<&KERNEL32.LoadLibrar>; kernel32.LoadLibraryW
0040493C 50             PUSH EAX
0040493D FF15 4CC04100 CALL DWORD PTR DS:[<&KERNEL32.GetProcAdd>; kernel32.GetProcAddress
00404943 6A 10          PUSH 10
00404945 68 A8134000    PUSH 双色球过.004013A8                      ; UNICODE "Xenocode Virtual Appliance Runtime"
0040494A 53             PUSH EBX
0040494B 6A 00          PUSH 0
0040494D FFD0          CALL EAX
0040494F 5F             POP EDI
00404950 5E             POP ESI
00404951 5B             POP EBX
00404952 8BE5          MOV ESP,EBP
00404954 5D             POP EBP
00404955 C3             RETN
00404956 33C0          XOR EAX,EAX
00404958 66:3901       CMP WORD PTR DS:[ECX],AX
0040495B 74 09          JE SHORT 双色球过.00404966
0040495D 40             /INC EAX
0040495E 41             |INC ECX
0040495F 41             |INC ECX
00404960 66:8339 00    |CMP WORD PTR DS:[ECX],0
00404964  ^ 75 F7          \JNZ SHORT 双色球过.0040495D
00404966 C3             RETN
00404967 56             PUSH ESI
00404968 8BB1 14040000 MOV ESI,DWORD PTR DS:[ECX+414]
0040496E 57             PUSH EDI
0040496F 33D2          /XOR EDX,EDX
00404971 F77424 0C    |DIV DWORD PTR SS:[ESP+C]
00404975 8BB9 14040000 |MOV EDI,DWORD PTR DS:[ECX+414]
0040497B 66:8B1455 80104>|MOV DX,WORD PTR DS:[EDX*2+401080]
00404983 66:891479    |MOV WORD PTR DS:[ECX+EDI*2],DX
00404987 FF81 14040000 |INC DWORD PTR DS:[ECX+414]
0040498D 8B91 14040000 |MOV EDX,DWORD PTR DS:[ECX+414]
00404993 85C0          |TEST EAX,EAX
00404995  ^ 77 D8          \JA SHORT 双色球过.0040496F
00404997 33C0          XOR EAX,EAX
00404999 66:890451    MOV WORD PTR DS:[ECX+EDX*2],AX
0040499D 8B81 14040000 MOV EAX,DWORD PTR DS:[ECX+414]
004049A3 EB 11          JMP SHORT 双色球过.004049B6
004049A5 0FB71471       /MOVZX EDX,WORD PTR DS:[ECX+ESI*2]
004049A9 66:8B3C41    |MOV DI,WORD PTR DS:[ECX+EAX*2]
004049AD 66:893C71    |MOV WORD PTR DS:[ECX+ESI*2],DI
004049B1 66:891441    |MOV WORD PTR DS:[ECX+EAX*2],DX
004049B5 46             |INC ESI
004049B6 48             DEC EAX
004049B7 3BF0          |CMP ESI,EAX
004049B9  ^ 72 EA          \JB SHORT 双色球过.004049A5
004049BB 5F             POP EDI
004049BC 5E             POP ESI
004049BD C2 0400       RETN 4
004049C0 83A0 14040000 0>AND DWORD PTR DS:[EAX+414],0
004049C7 33C9          XOR ECX,ECX
004049C9 66:8908       MOV WORD PTR DS:[EAX],CX
004049CC C3             RETN
004049CD 8B4C24 04    MOV ECX,DWORD PTR SS:[ESP+4]
004049D1 57             PUSH EDI
004049D2 E8 7FFFFFFF    CALL 双色球过.00404956
004049D7 FF7424 08    PUSH DWORD PTR SS:[ESP+8]
004049DB 8BF8          MOV EDI,EAX
004049DD 8B86 14040000 MOV EAX,DWORD PTR DS:[ESI+414]
004049E3 8D143F       LEA EDX,DWORD PTR DS:[EDI+EDI]
004049E6 8D0446       LEA EAX,DWORD PTR DS:[ESI+EAX*2]
004049E9 E8 85000000    CALL 双色球过.00404A73
004049EE 8B86 14040000 MOV EAX,DWORD PTR DS:[ESI+414]
004049F4 59             POP ECX
004049F5 03C7          ADD EAX,EDI
004049F7 33C9          XOR ECX,ECX
004049F9 66:890C46    MOV WORD PTR DS:[ESI+EAX*2],CX
004049FD 01BE 14040000 ADD DWORD PTR DS:[ESI+414],EDI
00404A03 5F             POP EDI
00404A04 C2 0400       RETN 4
00404A07 56             PUSH ESI
00404A08 FF7424 08    PUSH DWORD PTR SS:[ESP+8]
00404A0C 8BF0          MOV ESI,EAX
00404A0E 83A6 14040000 0>AND DWORD PTR DS:[ESI+414],0
00404A15 33C0          XOR EAX,EAX
00404A17 66:8906       MOV WORD PTR DS:[ESI],AX
00404A1A E8 AEFFFFFF    CALL 双色球过.004049CD
00404A1F 5E             POP ESI
00404A20 C2 0400       RETN 4
00404A23 56             PUSH ESI
00404A24 FF7424 08    PUSH DWORD PTR SS:[ESP+8]
00404A28 8BF0          MOV ESI,EAX
00404A2A 83A6 14040000 0>AND DWORD PTR DS:[ESI+414],0
00404A31 33C0          XOR EAX,EAX
00404A33 66:8906       MOV WORD PTR DS:[ESI],AX
00404A36 E8 92FFFFFF    CALL 双色球过.004049CD
00404A3B 8BC6          MOV EAX,ESI
00404A3D 5E             POP ESI
00404A3E C2 0400       RETN 4
00404A41 33C0          XOR EAX,EAX
00404A43 3801          CMP BYTE PTR DS:[ECX],AL
00404A45 74 07          JE SHORT 双色球过.00404A4E
00404A47 40             /INC EAX
00404A48 41             |INC ECX
00404A49 8039 00       |CMP BYTE PTR DS:[ECX],0
00404A4C  ^ 75 F9          \JNZ SHORT 双色球过.00404A47
00404A4E C3             RETN
00404A4F 03D1          ADD EDX,ECX
00404A51 33C0          XOR EAX,EAX
00404A53 3BCA          CMP ECX,EDX
00404A55 74 1B          JE SHORT 双色球过.00404A72
00404A57 56             PUSH ESI
00404A58 BE 54134000    MOV ESI,双色球过.00401354                   ; ASCII "RunVM"
00404A5D 2BF1          SUB ESI,ECX
00404A5F 57             PUSH EDI
00404A60 0FB63C0E       /MOVZX EDI,BYTE PTR DS:[ESI+ECX]
00404A64 0FB601       |MOVZX EAX,BYTE PTR DS:[ECX]
00404A67 2BC7          |SUB EAX,EDI
00404A69 75 05          |JNZ SHORT 双色球过.00404A70
00404A6B 41             |INC ECX
00404A6C 3BCA          |CMP ECX,EDX
00404A6E  ^ 75 F0          \JNZ SHORT 双色球过.00404A60
00404A70 5F             POP EDI
00404A71 5E             POP ESI
00404A72 C3             RETN
00404A73 56             PUSH ESI
00404A74 8D3410       LEA ESI,DWORD PTR DS:[EAX+EDX]
00404A77 8BC8          MOV ECX,EAX
00404A79 3BC6          CMP EAX,ESI
00404A7B 74 12          JE SHORT 双色球过.00404A8F
00404A7D 57             PUSH EDI
00404A7E 8B7C24 0C    MOV EDI,DWORD PTR SS:[ESP+C]
00404A82 2BF8          SUB EDI,EAX
00404A84 8A140F       /MOV DL,BYTE PTR DS:[EDI+ECX]
00404A87 8811          |MOV BYTE PTR DS:[ECX],DL
00404A89 41             |INC ECX
00404A8A 3BCE          |CMP ECX,ESI
00404A8C  ^ 75 F6          \JNZ SHORT 双色球过.00404A84
00404A8E 5F             POP EDI
00404A8F 5E             POP ESI
00404A90 C3             RETN
00404A91 FF7424 04    PUSH DWORD PTR SS:[ESP+4]
00404A95 6A 00          PUSH 0
00404A97 FF15 04C04100 CALL DWORD PTR DS:[<&KERNEL32.GetProcess>; kernel32.GetProcessHeap
00404A9D 50             PUSH EAX
00404A9E FF15 08C04100 CALL DWORD PTR DS:[<&KERNEL32.HeapFree>] ; ntdll.RtlFreeHeap
00404AA4 C3             RETN
00404AA5 FF7424 04    PUSH DWORD PTR SS:[ESP+4]
00404AA9 6A 00          PUSH 0
00404AAB FF15 04C04100 CALL DWORD PTR DS:[<&KERNEL32.GetProcess>; kernel32.GetProcessHeap
00404AB1 50             PUSH EAX
00404AB2 FF15 00C04100 CALL DWORD PTR DS:[<&KERNEL32.HeapAlloc>>; ntdll.RtlAllocateHeap
00404AB8 C3             RETN
00404AB9 CC             INT3
00404ABA CC             INT3
00404ABB CC             INT3
00404ABC E4 4A          IN AL,4A                               ; I/O 命令
00404ABE 0000          ADD BYTE PTR DS:[EAX],AL
00404AC0 0000          ADD BYTE PTR DS:[EAX],AL
00404AC2 0000          ADD BYTE PTR DS:[EAX],AL
00404AC4 0000          ADD BYTE PTR DS:[EAX],AL
00404AC6 0000          ADD BYTE PTR DS:[EAX],AL
00404AC8 B6 4C          MOV DH,4C
00404ACA 0000          ADD BYTE PTR DS:[EAX],AL
00404ACC 0010          ADD BYTE PTR DS:[EAX],DL
00404ACE 0000          ADD BYTE PTR DS:[EAX],AL
00404AD0 0000          ADD BYTE PTR DS:[EAX],AL
00404AD2 0000          ADD BYTE PTR DS:[EAX],AL
00404AD4 0000          ADD BYTE PTR DS:[EAX],AL
00404AD6 0000          ADD BYTE PTR DS:[EAX],AL
00404AD8 0000          ADD BYTE PTR DS:[EAX],AL
00404ADA 0000          ADD BYTE PTR DS:[EAX],AL
00404ADC 0000          ADD BYTE PTR DS:[EAX],AL
00404ADE 0000          ADD BYTE PTR DS:[EAX],AL
00404AE0 0000          ADD BYTE PTR DS:[EAX],AL
00404AE2 0000          ADD BYTE PTR DS:[EAX],AL
00404AE4 3C 4B          CMP AL,4B
00404AE6 0000          ADD BYTE PTR DS:[EAX],AL
00404AE8 48             DEC EAX
00404AE9 4B             DEC EBX
00404AEA 0000          ADD BYTE PTR DS:[EAX],AL
00404AEC 5A             POP EDX
00404AED 4B             DEC EBX
00404AEE 0000          ADD BYTE PTR DS:[EAX],AL
00404AF0 66:4B          DEC BX
00404AF2 0000          ADD BYTE PTR DS:[EAX],AL
00404AF4 76 4B          JBE SHORT 双色球过.00404B41
00404AF6 0000          ADD BYTE PTR DS:[EAX],AL
00404AF8 8C4B 00       MOV WORD PTR DS:[EBX],CS
00404AFB 00A6 4B0000BC ADD BYTE PTR DS:[ESI+BC00004B],AH
00404B01 4B             DEC EBX
00404B02 0000          ADD BYTE PTR DS:[EAX],AL
00404B04 D04B 00       ROR BYTE PTR DS:[EBX],1
00404B07 00E0          ADD AL,AH
00404B09 4B             DEC EBX
00404B0A 0000          ADD BYTE PTR DS:[EAX],AL
00404B0C F0:4B          LOCK DEC EBX                            ; 不允许锁定前缀
00404B0E 0000          ADD BYTE PTR DS:[EAX],AL
00404B10 FE4B 00       DEC BYTE PTR DS:[EBX]
00404B13 000C4C       ADD BYTE PTR SS:[ESP+ECX*2],CL
00404B16 0000          ADD BYTE PTR DS:[EAX],AL
00404B18 224C00 00    AND CL,BYTE PTR DS:[EAX+EAX]
00404B1C 34 4C          XOR AL,4C
00404B1E 0000          ADD BYTE PTR DS:[EAX],AL
00404B20 52             PUSH EDX
00404B21 4C             DEC ESP
00404B22 0000          ADD BYTE PTR DS:[EAX],AL
00404B24 624C00 00    BOUND ECX,QWORD PTR DS:[EAX+EAX]
00404B28 70 4C          JO SHORT 双色球过.00404B76
00404B2A 0000          ADD BYTE PTR DS:[EAX],AL
00404B2C 844C00 00    TEST BYTE PTR DS:[EAX+EAX],CL
00404B30 94             XCHG EAX,ESP
00404B31 4C             DEC ESP
00404B32 0000          ADD BYTE PTR DS:[EAX],AL
00404B34 A6             CMPS BYTE PTR DS:[ESI],BYTE PTR ES:[EDI]
00404B35 4C             DEC ESP
00404B36 0000          ADD BYTE PTR DS:[EAX],AL
00404B38 0000          ADD BYTE PTR DS:[EAX],AL
00404B3A 0000          ADD BYTE PTR DS:[EAX],AL
00404B3C 9D             POPFD
00404B3D 0248 65       ADD CL,BYTE PTR DS:[EAX+65]
00404B40 61             POPAD
00404B41 70 41          JO SHORT 双色球过.00404B84
00404B43 6C             INS BYTE PTR ES:[EDI],DX                ; I/O 命令
00404B44 6C             INS BYTE PTR ES:[EDI],DX                ; I/O 命令
00404B45 6F             OUTS DX,DWORD PTR ES:[EDI]             ; I/O 命令
00404B46 6300          ARPL WORD PTR DS:[EAX],AX
00404B48 2302          AND EAX,DWORD PTR DS:[EDX]
00404B4A 47             INC EDI
00404B4B 65:74 50       JE SHORT 双色球过.00404B9E                ; 多余前缀
00404B4E 72 6F          JB SHORT 双色球过.00404BBF
00404B50 6365 73       ARPL WORD PTR SS:[EBP+73],SP
00404B53 73 48          JNB SHORT 双色球过.00404B9D
00404B55 65:61          POPAD                                  ; 多余前缀
00404B57 70 00          JO SHORT 双色球过.00404B59
00404B59 00A1 02486561 ADD BYTE PTR DS:[ECX+61654802],AH
00404B5F 70 46          JO SHORT 双色球过.00404BA7
00404B61 72 65          JB SHORT 双色球过.00404BC8
00404B63 65:0000       ADD BYTE PTR GS:[EAX],AL
00404B66 66:0247 65    ADD AL,BYTE PTR DS:[EDI+65]
00404B6A 74 54          JE SHORT 双色球过.00404BC0
00404B6C 6963 6B 436F756>IMUL ESP,DWORD PTR DS:[EBX+6B],6E756F43
00404B73 74 00          JE SHORT 双色球过.00404B75
00404B75 00F5          ADD CH,DH
00404B77 0147 65       ADD DWORD PTR DS:[EDI+65],EAX
00404B7A 74 4D          JE SHORT 双色球过.00404BC9
00404B7C 6F             OUTS DX,DWORD PTR ES:[EDI]             ; I/O 命令
00404B7D 64:75 6C       JNZ SHORT 双色球过.00404BEC                ; 多余前缀
00404B80 65:46          INC ESI                               ; 多余前缀
00404B82 696C65 4E 616D6>IMUL EBP,DWORD PTR SS:[EBP+4E],57656D61
00404B8A 0000          ADD BYTE PTR DS:[EAX],AL
00404B8C D103          ROL DWORD PTR DS:[EBX],1
00404B8E 53             PUSH EBX
00404B8F 65:74 45       JE SHORT 双色球过.00404BD7                ; 多余前缀
00404B92 6E             OUTS DX,BYTE PTR ES:[EDI]             ; I/O 命令
00404B93 76 69          JBE SHORT 双色球过.00404BFE
00404B95 72 6F          JB SHORT 双色球过.00404C06
00404B97 6E             OUTS DX,BYTE PTR ES:[EDI]             ; I/O 命令
00404B98 6D             INS DWORD PTR ES:[EDI],DX             ; I/O 命令
00404B99 65:6E          OUTS DX,BYTE PTR ES:[EDI]             ; I/O 命令
00404B9B 74 56          JE SHORT 双色球过.00404BF3
00404B9D 61             POPAD
00404B9E 72 69          JB SHORT 双色球过.00404C09
00404BA0 61             POPAD
00404BA1 626C65 57    BOUND EBP,QWORD PTR SS:[EBP+57]
00404BA5 00AA 01476574 ADD BYTE PTR DS:[EDX+74654701],CH
00404BAB 43             INC EBX
00404BAC 75 72          JNZ SHORT 双色球过.00404C20
00404BAE 72 65          JB SHORT 双色球过.00404C15
00404BB0 6E             OUTS DX,BYTE PTR ES:[EDI]             ; I/O 命令
00404BB1 74 50          JE SHORT 双色球过.00404C03
00404BB3 72 6F          JB SHORT 双色球过.00404C24
00404BB5 6365 73       ARPL WORD PTR SS:[EBP+73],SP
00404BB8 73 49          JNB SHORT 双色球过.00404C03
00404BBA 64:002C03    ADD BYTE PTR FS:[EBX+EAX],CH
00404BBE 4F             DEC EDI
00404BBF 70 65          JO SHORT 双色球过.00404C26
00404BC1 6E             OUTS DX,BYTE PTR ES:[EDI]             ; I/O 命令
00404BC2 46             INC ESI
00404BC3 696C65 4D 61707>IMUL EBP,DWORD PTR SS:[EBP+4D],69707061
00404BCB 6E             OUTS DX,BYTE PTR ES:[EDI]             ; I/O 命令
00404BCC 67:57          PUSH EDI                               ; 多余前缀
00404BCE 0000          ADD BYTE PTR DS:[EAX],AL
00404BD0 E6 01          OUT 1,AL                               ; I/O 命令
00404BD2 47             INC EDI
00404BD3 65:74 4C       JE SHORT 双色球过.00404C22                ; 多余前缀
00404BD6 61             POPAD
00404BD7 73 74          JNB SHORT 双色球过.00404C4D
00404BD9 45             INC EBP
00404BDA 72 72          JB SHORT 双色球过.00404C4E
00404BDC 6F             OUTS DX,DWORD PTR ES:[EDI]             ; I/O 命令
00404BDD 72 00          JB SHORT 双色球过.00404BDF
00404BDF 000A          ADD BYTE PTR DS:[EDX],CL
00404BE1 034D 61       ADD ECX,DWORD PTR SS:[EBP+61]
00404BE4 70 56          JO SHORT 双色球过.00404C3C
00404BE6 6965 77 4F66466>IMUL ESP,DWORD PTR SS:[EBP+77],6946664F
00404BED 6C             INS BYTE PTR ES:[EDI],DX                ; I/O 命令
00404BEE 65:0043 00    ADD BYTE PTR GS:[EBX],AL
00404BF2 43             INC EBX
00404BF3 6C             INS BYTE PTR ES:[EDI],DX                ; I/O 命令
00404BF4 6F             OUTS DX,DWORD PTR ES:[EDI]             ; I/O 命令
00404BF5 73 65          JNB SHORT 双色球过.00404C5C
00404BF7 48             DEC EAX
00404BF8 61             POPAD
00404BF9 6E             OUTS DX,BYTE PTR ES:[EDI]             ; I/O 命令
00404BFA 64:6C          INS BYTE PTR ES:[EDI],DX                ; I/O 命令
00404BFC 65:007F 00    ADD BYTE PTR GS:[EDI],BH
00404C00 43             INC EBX
00404C01 72 65          JB SHORT 双色球过.00404C68
00404C03 61             POPAD
00404C04 74 65          JE SHORT 双色球过.00404C6B
00404C06 46             INC ESI
00404C07 696C65 57 007C0>IMUL EBP,DWORD PTR SS:[EBP+57],43007C00
00404C0F 72 65          JB SHORT 双色球过.00404C76
00404C11 61             POPAD
00404C12 74 65          JE SHORT 双色球过.00404C79
00404C14 46             INC ESI
00404C15 696C65 4D 61707>IMUL EBP,DWORD PTR SS:[EBP+4D],69707061
00404C1D 6E             OUTS DX,BYTE PTR ES:[EDI]             ; I/O 命令
00404C1E 67:57          PUSH EDI                               ; 多余前缀
00404C20 0000          ADD BYTE PTR DS:[EAX],AL
00404C22 41             INC ECX
00404C23 04 55          ADD AL,55
00404C25 6E             OUTS DX,BYTE PTR ES:[EDI]             ; I/O 命令
00404C26 6D             INS DWORD PTR ES:[EDI],DX             ; I/O 命令
00404C27 61             POPAD
00404C28 70 56          JO SHORT 双色球过.00404C80
00404C2A 6965 77 4F66466>IMUL ESP,DWORD PTR SS:[EBP+77],6946664F
00404C31 6C             INS BYTE PTR ES:[EDI],DX                ; I/O 命令
00404C32 65:00D0       ADD AL,DL                               ; 多余前缀
00404C35 0147 65       ADD DWORD PTR DS:[EDI+65],EAX
00404C38 74 46          JE SHORT 双色球过.00404C80
00404C3A 696C65 49 6E666>IMUL EBP,DWORD PTR SS:[EBP+49],726F666E
00404C42 6D             INS DWORD PTR ES:[EDI],DX             ; I/O 命令
00404C43 61             POPAD
00404C44 74 69          JE SHORT 双色球过.00404CAF
00404C46 6F             OUTS DX,DWORD PTR ES:[EDI]             ; I/O 命令
00404C47 6E             OUTS DX,BYTE PTR ES:[EDI]             ; I/O 命令
00404C48 42             INC EDX
00404C49 79 48          JNS SHORT 双色球过.00404C93
00404C4B 61             POPAD
00404C4C 6E             OUTS DX,BYTE PTR ES:[EDI]             ; I/O 命令
00404C4D 64:6C          INS BYTE PTR ES:[EDI],DX                ; I/O 命令
00404C4F 65:0000       ADD BYTE PTR GS:[EAX],AL
00404C52 54             PUSH ESP
00404C53 04 56          ADD AL,56
00404C55 6972 74 75616C4>IMUL ESI,DWORD PTR DS:[EDX+74],416C6175
00404C5C 6C             INS BYTE PTR ES:[EDI],DX                ; I/O 命令
00404C5D 6C             INS BYTE PTR ES:[EDI],DX                ; I/O 命令
00404C5E 6F             OUTS DX,DWORD PTR ES:[EDI]             ; I/O 命令
00404C5F 6300          ARPL WORD PTR DS:[EAX],AX
00404C61 0057 04       ADD BYTE PTR DS:[EDI+4],DL
00404C64 56             PUSH ESI
00404C65 6972 74 75616C4>IMUL ESI,DWORD PTR DS:[EDX+74],466C6175
00404C6C 72 65          JB SHORT 双色球过.00404CD3
00404C6E 65:00F6       ADD DH,DH                               ; 多余前缀
00404C71 0147 65       ADD DWORD PTR DS:[EDI+65],EAX
00404C74 74 4D          JE SHORT 双色球过.00404CC3
00404C76 6F             OUTS DX,DWORD PTR ES:[EDI]             ; I/O 命令
00404C77 64:75 6C       JNZ SHORT 双色球过.00404CE6                ; 多余前缀
00404C7A 65:48          DEC EAX                               ; 多余前缀
00404C7C 61             POPAD
00404C7D 6E             OUTS DX,BYTE PTR ES:[EDI]             ; I/O 命令
00404C7E 64:6C          INS BYTE PTR ES:[EDI],DX                ; I/O 命令
00404C80 65:41          INC ECX                               ; 多余前缀
00404C82 0000          ADD BYTE PTR DS:[EAX],AL
00404C84 D5 01          AAD 1
00404C86 47             INC EDI
00404C87 65:74 46       JE SHORT 双色球过.00404CD0                ; 多余前缀
00404C8A 696C65 53 697A6>IMUL EBP,DWORD PTR SS:[EBP+53],45657A69
00404C92 78 00          JS SHORT 双色球过.00404C94
00404C94 2002          AND BYTE PTR DS:[EDX],AL
00404C96 47             INC EDI
00404C97 65:74 50       JE SHORT 双色球过.00404CEA                ; 多余前缀
00404C9A 72 6F          JB SHORT 双色球过.00404D0B
00404C9C 6341 64       ARPL WORD PTR DS:[ECX+64],AX
00404C9F 64:72 65       JB SHORT 双色球过.00404D07                ; 多余前缀
00404CA2 73 73          JNB SHORT 双色球过.00404D17
00404CA4 0000          ADD BYTE PTR DS:[EAX],AL
00404CA6 F4             HLT                                     ; 特权命令
00404CA7 024C6F 61    ADD CL,BYTE PTR DS:[EDI+EBP*2+61]
00404CAB 64:4C          DEC ESP                               ; 多余前缀
00404CAD 6962 72 6172795>IMUL ESP,DWORD PTR DS:[EDX+72],57797261
00404CB4 0000          ADD BYTE PTR DS:[EAX],AL
00404CB6 4B             DEC EBX
00404CB7 45             INC EBP
00404CB8 52             PUSH EDX
00404CB9 4E             DEC ESI
00404CBA 45             INC EBP
00404CBB 4C             DEC ESP
00404CBC 3332          XOR ESI,DWORD PTR DS:[EDX]
00404CBE 2E:          PREFIX CS:                            ; 多余前缀
00404CBF 64:6C          INS BYTE PTR ES:[EDI],DX                ; I/O 命令
00404CC1 6C             INS BYTE PTR ES:[EDI],DX                ; I/O 命令
软件下载是http://www.newhua.com/soft/66790.htm

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・0

免费・0

支持

最新回复 (24)
杨氏雪币： 25 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 20 粉丝 0 关注私信	杨氏 2 楼有大家还不明白的嘛，请大家指点一下 2010-12-1 22:50 0
潜行者aa 雪币： 2 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 2 粉丝 0 关注私信	潜行者aa 3 楼即然是免费的,可能没加壳.先用PEID查查.如果没加壳,用OD直接载入运行,会出现一个对话框,提示输入密码,试输入一个好记的码,点确定,然后会提示错误,这时缓几秒按暂停(F12),然后点击查看-调用椎栈,这时会看到对话框显示的内容,点击程序名称处或程序DLL所指示处-右键-显示调用,然后就可以看到调用API的CALL,向上找到一个关键跳转,并爆破它,保存修改就可以了.(jne 改为je,或jnz改为jz)或者反过来改,总之要跳过提示错误的字符串. 2010-12-1 23:08 0
杨氏雪币： 25 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 20 粉丝 0 关注私信	杨氏 4 楼按照上面网友的提议。有些进展。不过还是有点问题。软件只有一个EXE的没有那些DLL之类的，看了一下进程。它是要调动NET Framework 2.0软件来运作的。如果你随便输入密码就是不能用软件里面的按钮。可能里面有两个软件合并在一起的。大家也可以在我上面的网址那里下载一个来试试。里面太多循环了。上面的代码还没有完全展开的。有兴趣的网友可以试试。 2010-12-2 17:51 0
杨氏雪币： 25 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 20 粉丝 0 关注私信	杨氏 5 楼完全没有上面串号字符之类的提示的。一进去软件就要密码。密码是这样的。比如今天是12.1号密码是123456.明天12.2号密码换成123789之类的了。如果你把系统日期调回12.1号，密码呢还是123456。就是这样用起来相当的麻烦。想购买他本人又不卖。所以才想到破解试试。 2010-12-2 17:57 0
Ｚg真理雪币： 87 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 19 粉丝 1 关注私信	Ｚg真理 6 楼我记得工具包里有个灰按钮克星。。。直接解除禁用就可以了吧……新手，不懂的瞎说，勿怪。 2010-12-2 18:28 0
杨氏雪币： 25 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 20 粉丝 0 关注私信	杨氏 7 楼楼上的网友。我现在用的就是破解助手2008里面的工具。灰色按钮我早就试过了。我想破解的软件里面的程序都把那个按键的功能键都关闭了。所以用不了的。要不是在我提供的网址下载一个软件试试。看你能不能破解。现在我把程序破解在这个位置了。在关键部位上（我是这样想的）请大家指点指点。我是用OllyICE软件来破解的。现在破译在这个位置上 004F8C8A /74 07 je short 004F8C93 004F8C8C \|E8 90CAFEFF call 004E5721 004F8C91 \|EB 05 jmp short 004F8C98 004F8C93 \E8 DCA3FEFF call 004E3074 我不知道现在要断那个点。都试了一下。但是还是不能用。也不知道是不是在关键的位置上调用堆栈：主线程地址堆栈函数过程 / 参数调用来自结构 0012F0FC 7C92DF5A 包含ntdll.KiFastSystemCallRet ntdll.7C92DF58 0012F124 0012F100 004F1573 003D0046 004F156D 0012F124 0012F128 7C8025CB ntdll.ZwWaitForSingleObject kernel32.7C8025C5 0012F124 0012F18C 7C802532 ? kernel32.WaitForSingleObjectEx kernel32.7C80252D 0012F188 0012F190 00000254 hObject = 00000254 (window) 0012F194 FFFFFFFF Timeout = INFINITE 0012F198 00000000 fAlertable = FALSE 0012F1A0 004E3044 ? kernel32.WaitForSingleObject 004E303E 0012F19C 0012F1A4 00000254 hObject = 00000254 (window) 0012F1A8 FFFFFFFF Timeout = INFINITE 0012F204 004E30B9 004E2F1C 004E30B4 0012F200 0012F224 004F8C98 004E3074 004F8C93 0012F274 0012F278 004F8F3F 004F8A6C 004F8F3A 0012F274 0012F2A0 004048E9 包含004F8F3F 双色球过.<模块入口点>+6D6 0012F29C 0012FFC4 7C816FE7 双色球过.<模块入口点> kernel32.7C816FE4 0012FFC0 这是调用堆栈。请大家看看 2010-12-2 21:33 0
杨氏雪币： 25 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 20 粉丝 0 关注私信	杨氏 8 楼想要破译的软件下载是http://www.newhua.com/soft/66790.htm 2010-12-2 21:36 0
comewisdom 雪币： 473 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 130 粉丝 0 关注私信	comewisdom 9 楼学习中......................... 2010-12-3 17:54 0
杨氏雪币： 25 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 20 粉丝 0 关注私信	杨氏 10 楼今日再花两个小时在破译发现软件里面就有3个模块一个是双色球过，一个是ntdll,一个是kernel32。花了几天来查壳。（是有在网上找到的自动查壳软件）查出来的都是显示Borland Delphi 3.0软件编的软件。也不敢断定一定没有壳。但是在OllyICE软件里面可以看见3个模块说明是没有加壳的吧。我也不知道是不是这样认为。请各位高手看见指点指点.谢谢 2010-12-3 19:21 0
杨氏雪币： 25 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 20 粉丝 0 关注私信	杨氏 11 楼再捣鼓了几天还是没有上面进展。请高手指点指点。鄙人不胜感谢。谢谢 2010-12-9 23:00 0
ybhdgggset 雪币： 959 活跃值： (66) 能力值： ( LV2，RANK：10 ) 在线值：发帖 6 回帖 141 粉丝 0 关注私信	ybhdgggset 12 楼程序中的readme 如果运行不正常，可能是你的系统没有安装 Microsoft .NET Framework 2.0 说明该程序是基于.Net的，用PEiD查壳，说是Delphi，看了加密与解密第三版中有这样一句话，"如果一个程序声明必须在.Net下运行，但用PEiD检测却是Win32程序，多半这个程序已经被加密了。" 我也是新手，希望楼主好好看看加密与解密三中第九章 .Net平台加解密 2010-12-10 10:56 0
bora 雪币： 230 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 4 粉丝 0 关注私信	bora 13 楼肯定是个加过的程序 2010-12-10 11:37 0
sjfhezhff 雪币： 32 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 1 粉丝 0 关注私信	sjfhezhff 14 楼毫无头绪~~根本不知道怎么跟。 2010-12-10 13:23 0
杨氏雪币： 25 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 20 粉丝 0 关注私信	杨氏 15 楼谢谢以上网友指点。非常感谢。我有捣鼓了好几天还是没有什么进展。这几天都在查看这方面的资料。对这个软件也是加深了一点看法。我想用DeDe软件里面的按键之类的。但是DeDe是这样说的“发现使用时间包编译的应用程序”。也是知道这个软件是加壳了。而且还加密了。连一个字符串都没有什么提示的。现在我都实在是不知道这个软件是属于Delphi编写的还是VC6.0写的还是属于NET之类的。我也用IDA Pro看了一下。里面有一个MD5什么编号的。不知道有没有什么软件可以查看时什么软件加密的或者是有什么算法加密的。用这个软件就恼火。不用吧又想用。要用吧天天换一个密码的变态换法。着个软件是一定要NET2.0安装后才能用的、我用OD跟踪无论是单步跟踪还是ESP定律都什么反应用点法脱壳后有不能用。在这里还是请各位提点意见指点一下。鄙人不胜感谢。谢谢 2010-12-19 22:17 0
szyg 雪币： 114 活跃值： (11) 能力值： ( LV2，RANK：10 ) 在线值：发帖 6 回帖 93 粉丝 0 关注私信	szyg 16 楼这不是双色球软件吗，你用哪个版本呀，我也在用 2010-12-19 22:22 0
杨氏雪币： 25 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 20 粉丝 0 关注私信	杨氏 17 楼这个软件是用Delphi.NET编写的。还加了密。这是我刚查看资料看见的。有网友知道怎么PJ的请指点一下。 2010-12-19 23:50 0
杨氏雪币： 25 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 20 粉丝 0 关注私信	杨氏 18 楼这不是双色球软件吗，你用哪个版本呀，我也在用是的。1.03.版本。你有这软件PJ版嘛、不要老是输入密码的哦。有的话希望给传上来。谢谢！ 2010-12-19 23:53 0
杨氏雪币： 25 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 20 粉丝 0 关注私信	杨氏 19 楼 0040420F >/$ 55 push ebp 00404210 \|. 8BEC mov ebp, esp 00404212 \|. 83E4 F8 and esp, FFFFFFF8 00404215 \|. 81EC F40C0000 sub esp, 0CF4 0040421B \|. 53 push ebx 0040421C \|. 56 push esi 0040421D \|. 57 push edi 0040421E \|. E8 82FBFFFF call 00403DA5 00404223 \|. 8B35 0CC04100 mov esi, dword ptr [<&KERNEL32.GetTi>; kernel32.GetTickCount 00404229 \|. FFD6 call esi ; [GetTickCount 0040422B \|. 83E0 11 and eax, 11 0040422E \|. BB 10504000 mov ebx, 00405010 00404233 \|. 3D 11010000 cmp eax, 111 00404238 \|. 0F84 21040000 je 0040465F 0040423E \|. FFD6 call esi ; [GetTickCount 00404240 \|. A3 0C504000 mov dword ptr [40500C], eax 00404245 \|> E8 4DFCFFFF /call 00403E97 0040424A \|. 8BC8 \|mov ecx, eax 0040424C \|. 2B0D 0C504000 \|sub ecx, dword ptr [40500C] 00404252 \|. 6A 03 \|push 3 00404254 \|. 33D2 \|xor edx, edx 00404256 \|. 8BC1 \|mov eax, ecx 00404258 \|. 5E \|pop esi 00404259 \|. F7F6 \|div esi 0040425B \|. F7C1 0080FFFF \|test ecx, FFFF8000 00404261 \|. 0F85 A9020000 \|jnz 00404510 00404267 \|. 33C0 \|xor eax, eax 00404269 \|. 33FF \|xor edi, edi 0040426B \|. 89BC24 E40800>\|mov dword ptr [esp+8E4], edi 00404272 \|. 66:898424 D00>\|mov word ptr [esp+4D0], ax 0040427A \|. 89BC24 CC0400>\|mov dword ptr [esp+4CC], edi 00404281 \|. 66:898424 B80>\|mov word ptr [esp+B8], ax 00404289 \|. E8 09FCFFFF \|call 00403E97 0040428E \|. 8BC8 \|mov ecx, eax 00404290 \|. 2B0D 0C504000 \|sub ecx, dword ptr [40500C] 00404296 \|. 33D2 \|xor edx, edx 00404298 \|. 8BC1 \|mov eax, ecx 0040429A \|. F7F6 \|div esi 0040429C \|. F7C1 0080FFFF \|test ecx, FFFF8000 004042A2 \|. 0F85 4D010000 \|jnz 004043F5 004042A8 \|. 68 D8104000 \|push 004010D8 ; UNICODE "_xvm_mem_process_info_0x" 004042AD \|. 8D8424 EC0800>\|lea eax, dword ptr [esp+8EC] 004042B4 \|. E8 6A070000 \|call 00404A23 004042B9 \|. 6A 10 \|push 10 004042BB \|. FF15 18C04100 \|call dword ptr [<&KERNEL32.GetCurren>; [GetCurrentProcessId 004042C1 \|. 8D8C24 EC0800>\|lea ecx, dword ptr [esp+8EC] 004042C8 \|. E8 9A060000 \|call 00404967 004042CD \|. 8B35 1CC04100 \|mov esi, dword ptr [<&KERNEL32.Open>; kernel32.OpenFileMappingW 004042D3 \|. 8BC1 \|mov eax, ecx 004042D5 \|. 50 \|push eax ; /MappingName 004042D6 \|. 57 \|push edi ; \|InheritHandle 004042D7 \|. 6A 04 \|push 4 ; \|Access = FILE_MAP_READ 004042D9 \|. 897C24 40 \|mov dword ptr [esp+40], edi ; \| 004042DD \|. 897C24 44 \|mov dword ptr [esp+44], edi ; \| 004042E1 \|. FFD6 \|call esi ; \OpenFileMappingW 004042E3 \|. 894424 14 \|mov dword ptr [esp+14], eax 004042E7 \|. FF15 20C04100 \|call dword ptr [<&KERNEL32.GetLastEr>; [GetLastError 004042ED \|. 894424 10 \|mov dword ptr [esp+10], eax 004042F1 \|. 397C24 14 \|cmp dword ptr [esp+14], edi 004042F5 \|. 0F84 AC000000 \|je 004043A7 004042FB \|. 57 \|push edi ; /MapSize 004042FC \|. 57 \|push edi ; \|OffsetLow 004042FD \|. 57 \|push edi ; \|OffsetHigh 004042FE \|. 6A 04 \|push 4 ; \|AccessMode = FILE_MAP_READ 00404300 \|. FF7424 24 \|push dword ptr [esp+24] ; \|hMapObject 00404304 \|. FF15 24C04100 \|call dword ptr [<&KERNEL32.MapViewOf>; \MapViewOfFile 0040430A \|. 894424 34 \|mov dword ptr [esp+34], eax 0040430E \|. 3BC7 \|cmp eax, edi 00404310 \|. 0F84 46040000 \|je 0040475C 00404316 \|. 68 B0114000 \|push 004011B0 ; UNICODE "_xvm_mem_application_info_0x" 0040431B \|. 8D8424 EC0800>\|lea eax, dword ptr [esp+8EC] 00404322 \|. E8 E0060000 \|call 00404A07 00404327 \|. 8B4424 34 \|mov eax, dword ptr [esp+34] 0040432B \|. 8B80 10020000 \|mov eax, dword ptr [eax+210] 00404331 \|. 6A 10 \|push 10 00404333 \|. 8D8C24 EC0800>\|lea ecx, dword ptr [esp+8EC] 0040433A \|. E8 28060000 \|call 00404967 0040433F \|. FF7424 14 \|push dword ptr [esp+14] ; /hObject 00404343 \|. FF15 28C04100 \|call dword ptr [<&KERNEL32.CloseHand>; \CloseHandle 00404349 \|. 8D8424 E80800>\|lea eax, dword ptr [esp+8E8] 00404350 \|. 50 \|push eax 00404351 \|. 57 \|push edi 00404352 \|. 6A 04 \|push 4 00404354 \|. FFD6 \|call esi 00404356 \|. 8B35 20C04100 \|mov esi, dword ptr [<&KERNEL32.GetL>; ntdll.RtlGetLastWin32Error 0040435C \|. 894424 14 \|mov dword ptr [esp+14], eax 00404360 \|. FFD6 \|call esi ; [GetLastError 00404362 \|. 894424 10 \|mov dword ptr [esp+10], eax 00404366 \|. 397C24 14 \|cmp dword ptr [esp+14], edi 0040436A \|. 0F84 15040000 \|je 00404785 00404370 \|. 57 \|push edi ; /MapSize 00404371 \|. 57 \|push edi ; \|OffsetLow 00404372 \|. 57 \|push edi ; \|OffsetHigh 00404373 \|. 6A 04 \|push 4 ; \|AccessMode = FILE_MAP_READ 00404375 \|. FF7424 24 \|push dword ptr [esp+24] ; \|hMapObject 00404379 \|. FF15 24C04100 \|call dword ptr [<&KERNEL32.MapViewOf>; \MapViewOfFile 0040437F \|. 894424 38 \|mov dword ptr [esp+38], eax 00404383 \|. 3BC7 \|cmp eax, edi 00404385 \|. 0F84 F1030000 \|je 0040477C 0040438B \|. 83C0 0C \|add eax, 0C 0040438E \|. 50 \|push eax 0040438F \|. 8D8424 D40400>\|lea eax, dword ptr [esp+4D4] 00404396 \|. E8 6C060000 \|call 00404A07 0040439B \|. FF7424 14 \|push dword ptr [esp+14] ; /hObject 0040439F \|. FF15 28C04100 \|call dword ptr [<&KERNEL32.CloseHand>; \CloseHandle 004043A5 \|. EB 30 \|jmp short 004043D7 004043A7 \|> 83F8 02 \|cmp eax, 2 004043AA \|. 0F85 3E050000 \|jnz 004048EE 004043B0 \|. 68 04010000 \|push 104 ; /BufSize = 104 (260.) 004043B5 \|. 8D8424 D40400>\|lea eax, dword ptr [esp+4D4] ; \| 004043BC \|. 50 \|push eax ; \|PathBuffer 004043BD \|. 57 \|push edi ; \|hModule 004043BE \|. FF15 10C04100 \|call dword ptr [<&KERNEL32.GetModule>; \GetModuleFileNameW 004043C4 \|. 8D8C24 D00400>\|lea ecx, dword ptr [esp+4D0] 004043CB \|. E8 86050000 \|call 00404956 004043D0 \|. 898424 E40800>\|mov dword ptr [esp+8E4], eax 004043D7 \|> E8 BBFAFFFF \|call 00403E97 004043DC \|. 8BC8 \|mov ecx, eax 004043DE \|. 2B0D 0C504000 \|sub ecx, dword ptr [40500C] 004043E4 \|. 6A 03 \|push 3 004043E6 \|. 33D2 \|xor edx, edx 004043E8 \|. 8BC1 \|mov eax, ecx 004043EA \|. 5E \|pop esi 004043EB \|. F7F6 \|div esi 004043ED \|. F7C1 0080FFFF \|test ecx, FFFF8000 004043F3 \|. 74 07 \|je short 004043FC 004043F5 \|> 3BD7 \|cmp edx, edi 004043F7 \|. E9 16010000 \|jmp 00404512 004043FC \|> 8D8424 D00400>\|lea eax, dword ptr [esp+4D0] 00404403 \|. 50 \|push eax 00404404 \|. 8DB424 BC0000>\|lea esi, dword ptr [esp+BC] 0040440B \|. E8 BD050000 \|call 004049CD 00404410 \|. 68 28124000 \|push 00401228 ; UNICODE ", " 00404415 \|. E8 B3050000 \|call 004049CD 0040441A \|. 57 \|push edi ; /hTemplateFile 0040441B \|. 57 \|push edi ; \|Attributes 0040441C \|. 6A 03 \|push 3 ; \|Mode = OPEN_EXISTING 0040441E \|. 57 \|push edi ; \|pSecurity 0040441F \|. 6A 07 \|push 7 ; \|ShareMode = FILE_SHARE_READ\|FILE_SHARE_WRITE\|4 00404421 \|. 68 00000080 \|push 80000000 ; \|Access = GENERIC_READ 00404426 \|. 8D8424 E80400>\|lea eax, dword ptr [esp+4E8] ; \| 0040442D \|. 50 \|push eax ; \|FileName 0040442E \|. FF15 2CC04100 \|call dword ptr [<&KERNEL32.CreateFil>; \CreateFileW 00404434 \|. 894424 18 \|mov dword ptr [esp+18], eax 00404438 \|. 83F8 FF \|cmp eax, -1 0040443B \|. 0F84 4E030000 \|je 0040478F 00404441 \|. E8 98F9FFFF \|call 00403DDE 00404446 \|. 85C0 \|test eax, eax 00404448 \|.^ 0F85 F7FDFFFF \jnz 00404245 0040444E \|. 33FF xor edi, edi 00404450 \|. 57 push edi ; /MapName => NULL 00404451 \|. 57 push edi ; \|MaximumSizeLow => 0 00404452 \|. 57 push edi ; \|MaximumSizeHigh => 0 00404453 \|. 6A 02 push 2 ; \|Protection = PAGE_READONLY 00404455 \|. 57 push edi ; \|pSecurity => NULL 00404456 \|. FF7424 2C push dword ptr [esp+2C] ; \|hFile 0040445A \|. FF15 30C04100 call dword ptr [<&KERNEL32.CreateFile>; \CreateFileMappingW 00404460 \|. 894424 20 mov dword ptr [esp+20], eax 00404464 \|. 3BC7 cmp eax, edi 00404466 \|. 0F84 30030000 je 0040479C 0040446C \|. 8B35 24C04100 mov esi, dword ptr [<&KERNEL32.MapVi>; kernel32.MapViewOfFile 00404472 \|. 68 00100000 push 1000 ; /MapSize = 1000 (4096.) 00404477 \|. 57 push edi ; \|OffsetLow => 0 00404478 \|. 57 push edi ; \|OffsetHigh => 0 00404479 \|. 6A 04 push 4 ; \|AccessMode = FILE_MAP_READ 0040447B \|. 50 push eax ; \|hMapObject 0040447C \|. FFD6 call esi ; \MapViewOfFile 0040447E \|. 894424 1C mov dword ptr [esp+1C], eax 00404482 \|. 3BC7 cmp eax, edi 00404484 \|. 0F84 1F030000 je 004047A9 0040448A \|. 8BF8 mov edi, eax 0040448C \|. E8 83F9FFFF call 00403E14 00404491 \|. FF7424 1C push dword ptr [esp+1C] ; /BaseAddress 00404495 \|. 8BF8 mov edi, eax ; \| 00404497 \|. 897C24 34 mov dword ptr [esp+34], edi ; \| 0040449B \|. FF15 34C04100 call dword ptr [<&KERNEL32.UnmapViewO>; \UnmapViewOfFile 004044A1 \|. 8D8424 840000>lea eax, dword ptr [esp+84] 004044A8 \|. 50 push eax ; /pFileInformation 004044A9 \|. FF7424 1C push dword ptr [esp+1C] ; \|hFile 004044AD \|. FF15 38C04100 call dword ptr [<&KERNEL32.GetFileInf>; \GetFileInformationByHandle 004044B3 \|. 85C0 test eax, eax 004044B5 \|. 0F84 FB020000 je 004047B6 004044BB \|. 33C0 xor eax, eax 004044BD \|. 398424 A40000>cmp dword ptr [esp+A4], eax 004044C4 \|. 75 0D jnz short 004044D3 004044C6 \|. 39BC24 A80000>cmp dword ptr [esp+A8], edi 004044CD \|. 0F86 7C040000 jbe 0040494F 004044D3 \|> 81C7 00100000 add edi, 1000 004044D9 \|. 57 push edi 004044DA \|. 50 push eax 004044DB \|. 50 push eax 004044DC \|. 6A 04 push 4 004044DE \|. FF7424 30 push dword ptr [esp+30] 004044E2 \|. FFD6 call esi 004044E4 \|. 8BF0 mov esi, eax 004044E6 \|. 897424 1C mov dword ptr [esp+1C], esi 004044EA \|. 85F6 test esi, esi 004044EC \|. 0F84 D1020000 je 004047C3 004044F2 \|. E8 A0F9FFFF call 00403E97 004044F7 \|. 8BC8 mov ecx, eax 004044F9 \|. 2B0D 0C504000 sub ecx, dword ptr [40500C] 004044FF \|. 6A 03 push 3 00404501 \|. 33D2 xor edx, edx 00404503 \|. 8BC1 mov eax, ecx 00404505 \|. 5F pop edi 00404506 \|. F7F7 div edi 00404508 \|. F7C1 0080FFFF test ecx, FFFF8000 0040450E \|. 74 16 je short 00404526 00404510 \|> 85D2 test edx, edx 00404512 \|> 0F84 68030000 je 00404880 00404518 \|. 83FA 01 cmp edx, 1 0040451B \|.^ 0F84 24FDFFFF je 00404245 00404521 \|. E9 39010000 jmp 0040465F 00404526 \|> 8BFE mov edi, esi 00404528 \|. E8 E7F8FFFF call 00403E14 0040452D \|. 03C6 add eax, esi 0040452F \|. 8B08 mov ecx, dword ptr [eax] 00404531 \|. 894424 10 mov dword ptr [esp+10], eax 00404535 \|. 8D70 04 lea esi, dword ptr [eax+4] 00404538 \|. 81F9 78766D00 cmp ecx, 6D7678 0040453E \|. 0F85 8C020000 jnz 004047D0 00404544 \|. 8B06 mov eax, dword ptr [esi] 00404546 \|. 83C6 04 add esi, 4 00404549 \|. 83F8 01 cmp eax, 1 0040454C \|. 0F85 94020000 jnz 004047E6 00404552 \|. 8B06 mov eax, dword ptr [esi] 00404554 \|. 8BF8 mov edi, eax 00404556 \|. 69FF 05840808 imul edi, edi, 8088405 0040455C \|. 83C6 04 add esi, 4 0040455F \|. 8B0E mov ecx, dword ptr [esi] 00404561 \|. 47 inc edi 00404562 \|. 8BD7 mov edx, edi 00404564 \|. 33D0 xor edx, eax 00404566 \|. 83C6 04 add esi, 4 00404569 \|. 3BD1 cmp edx, ecx 0040456B \|. 0F85 8B020000 jnz 004047FC 00404571 \|. 8B0E mov ecx, dword ptr [esi] 00404573 \|. 8BC7 mov eax, edi 00404575 \|. 69C0 05840808 imul eax, eax, 8088405 0040457B \|. 40 inc eax 0040457C \|. 8BD0 mov edx, eax 0040457E \|. 33D7 xor edx, edi 00404580 \|. 83C6 04 add esi, 4 00404583 \|. 3BD1 cmp edx, ecx 00404585 \|. 0F85 87020000 jnz 00404812 0040458B \|. 8B0E mov ecx, dword ptr [esi] 0040458D \|. 69C0 05840808 imul eax, eax, 8088405 00404593 \|. FF7424 1C push dword ptr [esp+1C] ; /BaseAddress 00404597 \|. 40 inc eax ; \| 00404598 \|. 33C8 xor ecx, eax ; \| 0040459A \|. 69C0 05840808 imul eax, eax, 8088405 ; \| 004045A0 \|. 83C6 04 add esi, 4 ; \| 004045A3 \|. 40 inc eax ; \| 004045A4 \|. 3306 xor eax, dword ptr [esi] ; \| 004045A6 \|. 894C24 2C mov dword ptr [esp+2C], ecx ; \| 004045AA \|. 894424 28 mov dword ptr [esp+28], eax ; \| 004045AE \|. FF15 34C04100 call dword ptr [<&KERNEL32.UnmapViewO>; \UnmapViewOfFile 004045B4 \|. FF7424 20 push dword ptr [esp+20] ; /hObject 004045B8 \|. FF15 28C04100 call dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle 004045BE \|. 33C0 xor eax, eax 004045C0 \|. 50 push eax ; /MapName => NULL 004045C1 \|. 50 push eax ; \|MaximumSizeLow => 0 004045C2 \|. 50 push eax ; \|MaximumSizeHigh => 0 004045C3 \|. 6A 08 push 8 ; \|Protection = PAGE_WRITECOPY 004045C5 \|. 50 push eax ; \|pSecurity => NULL 004045C6 \|. FF7424 2C push dword ptr [esp+2C] ; \|hFile 004045CA \|. FF15 30C04100 call dword ptr [<&KERNEL32.CreateFile>; \CreateFileMappingW 004045D0 \|. 894424 20 mov dword ptr [esp+20], eax 004045D4 \|. 85C0 test eax, eax 004045D6 \|. 0F84 4C020000 je 00404828 004045DC \|. 2B7424 10 sub esi, dword ptr [esp+10] 004045E0 \|. 8B4C24 24 mov ecx, dword ptr [esp+24] 004045E4 \|. 83C6 04 add esi, 4 004045E7 \|. 03CE add ecx, esi 004045E9 \|. 034C24 30 add ecx, dword ptr [esp+30] 004045ED \|. 897424 3C mov dword ptr [esp+3C], esi 004045F1 \|. 51 push ecx ; /MapSize 004045F2 \|. 6A 00 push 0 ; \|OffsetLow = 0 004045F4 \|. 6A 00 push 0 ; \|OffsetHigh = 0 004045F6 \|. 6A 01 push 1 ; \|AccessMode = FILE_MAP_COPY 004045F8 \|. 50 push eax ; \|hMapObject 004045F9 \|. FF15 24C04100 call dword ptr [<&KERNEL32.MapViewOfF>; \MapViewOfFile 004045FF \|. 33C9 xor ecx, ecx 00404601 \|. 894424 1C mov dword ptr [esp+1C], eax 00404605 \|. 3BC1 cmp eax, ecx 00404607 \|. 0F84 2B020000 je 00404838 0040460D \|. 8B4424 30 mov eax, dword ptr [esp+30] 00404611 \|. 03C6 add eax, esi 00404613 \|. 034424 1C add eax, dword ptr [esp+1C] 00404617 \|. 8B7424 24 mov esi, dword ptr [esp+24] 0040461B \|. 894424 2C mov dword ptr [esp+2C], eax 0040461F \|. 3BF1 cmp esi, ecx 00404621 \|. 76 17 jbe short 0040463A 00404623 \|> 69FF FD430300 /imul edi, edi, 343FD 00404629 \|. 81C7 C39E2600 \|add edi, 269EC3 0040462F \|. 8BD7 \|mov edx, edi 00404631 \|. C1EA 10 \|shr edx, 10 00404634 \|. 3010 \|xor byte ptr [eax], dl 00404636 \|. 40 \|inc eax 00404637 \|. 4E \|dec esi 00404638 \|.^ 75 E9 \jnz short 00404623 0040463A \|> 8D7424 4C lea esi, dword ptr [esp+4C] 0040463E \|. 894C24 6C mov dword ptr [esp+6C], ecx 00404642 \|. 894C24 70 mov dword ptr [esp+70], ecx 00404646 \|. 894C24 74 mov dword ptr [esp+74], ecx 0040464A \|. 894C24 50 mov dword ptr [esp+50], ecx 0040464E \|. 894C24 4C mov dword ptr [esp+4C], ecx 00404652 \|. E8 D9F6FFFF call 00403D30 00404657 \|. 85C0 test eax, eax 00404659 \|. 0F85 E9010000 jnz 00404848 0040465F \|> 6A 04 /push 4 ; /Protect = PAGE_READWRITE 00404661 \|. 68 00100000 \|push 1000 ; \|AllocationType = MEM_COMMIT 00404666 \|. FF7424 30 \|push dword ptr [esp+30] ; \|Size 0040466A \|. 6A 00 \|push 0 ; \|Address = NULL 0040466C \|. FF15 3CC04100 \|call dword ptr [<&KERNEL32.VirtualAl>; \VirtualAlloc 00404672 \|. 8BF0 \|mov esi, eax 00404674 \|. E8 1EF8FFFF \|call 00403E97 00404679 \|. 8BC8 \|mov ecx, eax 0040467B \|. 2B0D 0C504000 \|sub ecx, dword ptr [40500C] 00404681 \|. 6A 03 \|push 3 00404683 \|. 33D2 \|xor edx, edx 00404685 \|. 8BC1 \|mov eax, ecx 00404687 \|. 5F \|pop edi 00404688 \|. F7F7 \|div edi 0040468A \|. F7C1 0080FFFF \|test ecx, FFFF8000 00404690 \|. 74 12 \|je short 004046A4 00404692 \|. 85D2 \|test edx, edx 00404694 \|. 0F84 E6010000 \|je 00404880 0040469A \|. 83FA 01 \|cmp edx, 1 0040469D \|.^ 75 C0 \jnz short 0040465F 0040469F \|.^ E9 A1FBFFFF jmp 00404245 004046A4 \|> 8B4424 24 mov eax, dword ptr [esp+24] 004046A8 \|. 894424 50 mov dword ptr [esp+50], eax 004046AC \|. 8B4424 2C mov eax, dword ptr [esp+2C] 004046B0 \|. 894424 4C mov dword ptr [esp+4C], eax 004046B4 \|. 8B4424 28 mov eax, dword ptr [esp+28] 004046B8 \|. 894424 5C mov dword ptr [esp+5C], eax 004046BC \|. 8D4424 4C lea eax, dword ptr [esp+4C] 004046C0 \|. 50 push eax 004046C1 \|. 897424 5C mov dword ptr [esp+5C], esi 004046C5 \|. E8 76E7FFFF call 00402E40 004046CA \|. 59 pop ecx 004046CB \|. 83F8 01 cmp eax, 1 004046CE \|. 0F85 8A010000 jnz 0040485E 004046D4 \|. FF7424 1C push dword ptr [esp+1C] ; /BaseAddress 004046D8 \|. FF15 34C04100 call dword ptr [<&KERNEL32.UnmapViewO>; \UnmapViewOfFile 004046DE \|. FF7424 20 push dword ptr [esp+20] ; /hObject 004046E2 \|. FF15 28C04100 call dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle 004046E8 \|. E8 AAF7FFFF call 00403E97 004046ED \|. 8BC8 mov ecx, eax 004046EF \|. 2B0D 0C504000 sub ecx, dword ptr [40500C] 004046F5 \|. 6A 03 push 3 004046F7 \|. 33D2 xor edx, edx 004046F9 \|. 8BC1 mov eax, ecx 004046FB \|. 5F pop edi 004046FC \|. F7F7 div edi 004046FE \|. F7C1 0080FFFF test ecx, FFFF8000 00404704 \|.^ 0F85 06FEFFFF jnz 00404510 0040470A \|. 56 push esi 0040470B \|. E8 4EF8FFFF call 00403F5E 00404710 \|. C70424 008000>mov dword ptr [esp], 8000 ; \| 00404717 \|. FF7424 2C push dword ptr [esp+2C] ; \|Size 0040471B \|. 8BF8 mov edi, eax ; \| 0040471D \|. 56 push esi ; \|Address 0040471E \|. FF15 40C04100 call dword ptr [<&KERNEL32.VirtualFre>; \VirtualFree 00404724 \|. 85FF test edi, edi 00404726 \|. 0F84 00020000 je 0040492C 0040472C \|. 57 push edi 0040472D \|. E8 2FF7FFFF call 00403E61 00404732 \|. 59 pop ecx 00404733 \|. 57 push edi 00404734 \|. E8 8BF7FFFF call 00403EC4 00404739 \|. 59 pop ecx 0040473A \|. 894424 10 mov dword ptr [esp+10], eax 0040473E \|. 85C0 test eax, eax 00404740 \|. 0F85 2E010000 jnz 00404874 00404746 \|. 68 20114000 push 00401120 ; UNICODE "There has been an error starting this virtual appliance. Error code: " 0040474B \|. 8BC3 mov eax, ebx 0040474D \|. E8 B5020000 call 00404A07 00404752 \|. 68 5C134000 push 0040135C ; UNICODE "0x0006" 00404757 \|. E9 C9010000 jmp 00404925 0040475C \|> FF15 20C04100 call dword ptr [<&KERNEL32.GetLastErr>; [GetLastError 00404762 \|. 68 0C114000 push 0040110C ; UNICODE "0x00020: " 00404767 \|> 8DB424 BC0000>lea esi, dword ptr [esp+BC] 0040476E \|. 8BF8 mov edi, eax 00404770 \|. E8 58020000 call 004049CD 00404775 \|. 8BC7 mov eax, edi 00404777 \|. E9 87010000 jmp 00404903 0040477C \|> FFD6 call esi 0040477E \|. 68 EC114000 push 004011EC ; UNICODE "0x00021: " 00404783 \|.^ EB E2 jmp short 00404767 00404785 \|> 68 00124000 push 00401200 ; UNICODE "0x00022: " 0040478A \|. E9 64010000 jmp 004048F3 0040478F \|> FF15 20C04100 call dword ptr [<&KERNEL32.GetLastErr>; [GetLastError 00404795 \|. 68 30124000 push 00401230 ; UNICODE "0x0003: " 0040479A \|.^ EB CB jmp short 00404767 0040479C \|> FF15 20C04100 call dword ptr [<&KERNEL32.GetLastErr>; [GetLastError 004047A2 \|. 68 7C124000 push 0040127C ; UNICODE "0x00040: " 004047A7 \|.^ EB BE jmp short 00404767 004047A9 \|> FF15 20C04100 call dword ptr [<&KERNEL32.GetLastErr>; [GetLastError 004047AF \|. 68 90124000 push 00401290 ; UNICODE "0x00050: " 004047B4 \|.^ EB B1 jmp short 00404767 004047B6 \|> FF15 20C04100 call dword ptr [<&KERNEL32.GetLastErr>; [GetLastError 004047BC \|. 68 A4124000 push 004012A4 ; UNICODE "0x00053: " 004047C1 \|.^ EB A4 jmp short 00404767 004047C3 \|> FF15 20C04100 call dword ptr [<&KERNEL32.GetLastErr>; [GetLastError 004047C9 \|. 68 B8124000 push 004012B8 ; UNICODE "0x00051: " 004047CE \|.^ EB 97 jmp short 00404767 004047D0 \|> 68 20114000 push 00401120 ; UNICODE "There has been an error starting this virtual appliance. Error code: " 004047D5 \|. 8BC3 mov eax, ebx 004047D7 \|. E8 2B020000 call 00404A07 004047DC \|. 68 CC124000 push 004012CC ; UNICODE "0x00E00" 004047E1 \|. E9 3F010000 jmp 00404925 004047E6 \|> 68 20114000 push 00401120 ; UNICODE "There has been an error starting this virtual appliance. Error code: " 004047EB \|. 8BC3 mov eax, ebx 004047ED \|. E8 15020000 call 00404A07 004047F2 \|. 68 DC124000 push 004012DC ; UNICODE "0x00E01" 004047F7 \|. E9 29010000 jmp 00404925 004047FC \|> 68 20114000 push 00401120 ; UNICODE "There has been an error starting this virtual appliance. Error code: " 00404801 \|. 8BC3 mov eax, ebx 00404803 \|. E8 FF010000 call 00404A07 00404808 \|. 68 EC124000 push 004012EC ; UNICODE "0x00E1" 0040480D \|. E9 13010000 jmp 00404925 00404812 \|> 68 20114000 push 00401120 ; UNICODE "There has been an error starting this virtual appliance. Error code: " 00404817 \|. 8BC3 mov eax, ebx 00404819 \|. E8 E9010000 call 00404A07 0040481E \|. 68 FC124000 push 004012FC ; UNICODE "0x00E2" 00404823 \|. E9 FD000000 jmp 00404925 00404828 \|> FF15 20C04100 call dword ptr [<&KERNEL32.GetLastErr>; [GetLastError 0040482E \|. 68 0C134000 push 0040130C ; UNICODE "0x00041: " 00404833 \|.^ E9 2FFFFFFF jmp 00404767 00404838 \|> FF15 20C04100 call dword ptr [<&KERNEL32.GetLastErr>; [GetLastError 0040483E \|. 68 20134000 push 00401320 ; UNICODE "0x00052: " 00404843 \|.^ E9 1FFFFFFF jmp 00404767 00404848 \|> 68 20114000 push 00401120 ; UNICODE "There has been an error starting this virtual appliance. Error code: " 0040484D \|. 8BC3 mov eax, ebx 0040484F \|. E8 B3010000 call 00404A07 00404854 \|. 68 34134000 push 00401334 ; UNICODE "0x00Z1" 00404859 \|. E9 C7000000 jmp 00404925 0040485E \|> 68 20114000 push 00401120 ; UNICODE "There has been an error starting this virtual appliance. Error code: " 00404863 \|. 8BC3 mov eax, ebx 00404865 \|. E8 9D010000 call 00404A07 0040486A \|. 68 44134000 push 00401344 ; UNICODE "0x00Z2" 0040486F \|. E9 B1000000 jmp 00404925 00404874 \|> 6A 00 push 0 ; /pModule = NULL 00404876 \|. FF15 44C04100 call dword ptr [<&KERNEL32.GetModuleH>; \GetModuleHandleA 0040487C \|. 894424 2C mov dword ptr [esp+2C], eax 00404880 \|> 33FF xor edi, edi 00404882 \|. 57 push edi ; /MapName => NULL 00404883 \|. 57 push edi ; \|MaximumSizeLow => 0 00404884 \|. 57 push edi ; \|MaximumSizeHigh => 0 00404885 \|. 6A 02 push 2 ; \|Protection = PAGE_READONLY 00404887 \|. 57 push edi ; \|pSecurity => NULL 00404888 \|. FF7424 2C push dword ptr [esp+2C] ; \|hFile 0040488C \|. FF15 30C04100 call dword ptr [<&KERNEL32.CreateFile>; \CreateFileMappingW 00404892 \|. 8BF0 mov esi, eax 00404894 \|. 3BF7 cmp esi, edi 00404896 \|. 75 10 jnz short 004048A8 00404898 \|. FF15 20C04100 call dword ptr [<&KERNEL32.GetLastErr>; [GetLastError 0040489E \|. 68 6C134000 push 0040136C ; UNICODE "0x00042: " 004048A3 \|.^ E9 BFFEFFFF jmp 00404767 004048A8 \|> 8D4424 40 lea eax, dword ptr [esp+40] 004048AC \|. 50 push eax ; /lpFileSize 004048AD \|. FF7424 1C push dword ptr [esp+1C] ; \|hFile 004048B1 \|. FF15 48C04100 call dword ptr [<&KERNEL32.GetFileSiz>; \GetFileSizeEx 004048B7 \|. FF7424 18 push dword ptr [esp+18] ; /hObject 004048BB \|. FF15 28C04100 call dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle 004048C1 \|. FF7424 38 push dword ptr [esp+38] 004048C5 \|. 8B4C24 28 mov ecx, dword ptr [esp+28] 004048C9 \|. FF7424 38 push dword ptr [esp+38] 004048CD \|. 8B4424 44 mov eax, dword ptr [esp+44] 004048D1 \|. 03C1 add eax, ecx 004048D3 \|. 034424 38 add eax, dword ptr [esp+38] 004048D7 \|. 50 push eax 004048D8 \|. FF7424 50 push dword ptr [esp+50] 004048DC \|. FF7424 50 push dword ptr [esp+50] 004048E0 \|. 56 push esi 004048E1 \|. FF7424 44 push dword ptr [esp+44] 004048E5 \|. FF5424 2C call dword ptr [esp+2C] ; 猛跳，跟进去很难跑出来，就是用自动步入也难跑出。窗口在这里弹出要密码才能进去 004048E9 \|. 83C4 1C add esp, 1C 004048EC \|. EB 61 jmp short 0040494F 004048EE \|> 68 14124000 push 00401214 ; UNICODE "0x00023: " 004048F3 \|> 8DB424 BC0000>lea esi, dword ptr [esp+BC] 004048FA \|. E8 CE000000 call 004049CD 004048FF \|. 8B4424 10 mov eax, dword ptr [esp+10] 00404903 \|> 6A 0A push 0A 00404905 \|. 8D8C24 BC0000>lea ecx, dword ptr [esp+BC] 0040490C \|. E8 56000000 call 00404967 00404911 \|. 68 20114000 push 00401120 ; UNICODE "There has been an error starting this virtual appliance. Error code: " 00404916 \|. 8BC3 mov eax, ebx 00404918 \|. E8 EA000000 call 00404A07 0040491D \|. 8D8424 B80000>lea eax, dword ptr [esp+B8] 00404924 \|. 50 push eax 00404925 \|> 8BF3 mov esi, ebx 00404927 \|. E8 A1000000 call 004049CD 0040492C \|> 68 80134000 push 00401380 ; /ProcNameOrOrdinal = "MessageBoxW" 00404931 \|. 68 8C134000 push 0040138C ; \|/FileName = "user32.dll" 00404936 \|. FF15 50C04100 call dword ptr [<&KERNEL32.LoadLibrar>; \|\LoadLibraryW 0040493C \|. 50 push eax ; \|hModule 0040493D \|. FF15 4CC04100 call dword ptr [<&KERNEL32.GetProcAdd>; \GetProcAddress 00404943 \|. 6A 10 push 10 00404945 \|. 68 A8134000 push 004013A8 ; UNICODE "Xenocode Virtual Appliance Runtime" 0040494A \|. 53 push ebx 0040494B \|. 6A 00 push 0 0040494D \|. FFD0 call eax 0040494F \|> 5F pop edi 00404950 \|. 5E pop esi 00404951 \|. 5B pop ebx 00404952 \|. 8BE5 mov esp, ebp 00404954 \|. 5D pop ebp 00404955 \. C3 retn 00404956 /$ 33C0 xor eax, eax 00404958 \|. 66:3901 cmp word ptr [ecx], ax 0040495B \|. 74 09 je short 00404966 0040495D \|> 40 /inc eax 0040495E \|. 41 \|inc ecx 0040495F \|. 41 \|inc ecx 00404960 \|. 66:8339 00 \|cmp word ptr [ecx], 0 00404964 \|.^ 75 F7 \jnz short 0040495D 00404966 \> C3 retn 00404967 /$ 56 push esi 00404968 \|. 8BB1 14040000 mov esi, dword ptr [ecx+414] 0040496E \|. 57 push edi 0040496F \|> 33D2 /xor edx, edx 00404971 \|. F77424 0C \|div dword ptr [esp+C] 00404975 \|. 8BB9 14040000 \|mov edi, dword ptr [ecx+414] 0040497B \|. 66:8B1455 801>\|mov dx, word ptr [edx2+401080] 00404983 \|. 66:891479 \|mov word ptr [ecx+edi2], dx 00404987 \|. FF81 14040000 \|inc dword ptr [ecx+414] 0040498D \|. 8B91 14040000 \|mov edx, dword ptr [ecx+414] 00404993 \|. 85C0 \|test eax, eax 00404995 \|.^ 77 D8 \ja short 0040496F 00404997 \|. 33C0 xor eax, eax 00404999 \|. 66:890451 mov word ptr [ecx+edx2], ax 0040499D \|. 8B81 14040000 mov eax, dword ptr [ecx+414] 004049A3 \|. EB 11 jmp short 004049B6 004049A5 \|> 0FB71471 /movzx edx, word ptr [ecx+esi2] 004049A9 \|. 66:8B3C41 \|mov di, word ptr [ecx+eax2] 004049AD \|. 66:893C71 \|mov word ptr [ecx+esi2], di 004049B1 \|. 66:891441 \|mov word ptr [ecx+eax2], dx 004049B5 \|. 46 \|inc esi 004049B6 \|> 48 dec eax 004049B7 \|. 3BF0 \|cmp esi, eax 004049B9 \|.^ 72 EA \jb short 004049A5 004049BB \|. 5F pop edi 004049BC \|. 5E pop esi 004049BD \. C2 0400 retn 4 004049C0 . 83A0 14040000>and dword ptr [eax+414], 0 004049C7 . 33C9 xor ecx, ecx 004049C9 . 66:8908 mov word ptr [eax], cx 004049CC . C3 retn 004049CD /$ 8B4C24 04 mov ecx, dword ptr [esp+4] 004049D1 \|. 57 push edi 004049D2 \|. E8 7FFFFFFF call 00404956 004049D7 \|. FF7424 08 push dword ptr [esp+8] 004049DB \|. 8BF8 mov edi, eax 004049DD \|. 8B86 14040000 mov eax, dword ptr [esi+414] 004049E3 \|. 8D143F lea edx, dword ptr [edi+edi] 004049E6 \|. 8D0446 lea eax, dword ptr [esi+eax2] 004049E9 \|. E8 85000000 call 00404A73 004049EE \|. 8B86 14040000 mov eax, dword ptr [esi+414] 004049F4 \|. 59 pop ecx 004049F5 \|. 03C7 add eax, edi 004049F7 \|. 33C9 xor ecx, ecx 004049F9 \|. 66:890C46 mov word ptr [esi+eax*2], cx 004049FD \|. 01BE 14040000 add dword ptr [esi+414], edi 00404A03 \|. 5F pop edi 00404A04 \. C2 0400 retn 4 00404A07 /$ 56 push esi 00404A08 \|. FF7424 08 push dword ptr [esp+8] 00404A0C \|. 8BF0 mov esi, eax 00404A0E \|. 83A6 14040000>and dword ptr [esi+414], 0 00404A15 \|. 33C0 xor eax, eax 00404A17 \|. 66:8906 mov word ptr [esi], ax 00404A1A \|. E8 AEFFFFFF call 004049CD 00404A1F \|. 5E pop esi 00404A20 \. C2 0400 retn 4 00404A23 /$ 56 push esi 00404A24 \|. FF7424 08 push dword ptr [esp+8] 00404A28 \|. 8BF0 mov esi, eax 00404A2A \|. 83A6 14040000>and dword ptr [esi+414], 0 00404A31 \|. 33C0 xor eax, eax 00404A33 \|. 66:8906 mov word ptr [esi], ax 00404A36 \|. E8 92FFFFFF call 004049CD 00404A3B \|. 8BC6 mov eax, esi 00404A3D \|. 5E pop esi 00404A3E \. C2 0400 retn 4 00404A41 /$ 33C0 xor eax, eax 00404A43 \|. 3801 cmp byte ptr [ecx], al 00404A45 \|. 74 07 je short 00404A4E 00404A47 \|> 40 /inc eax 00404A48 \|. 41 \|inc ecx 00404A49 \|. 8039 00 \|cmp byte ptr [ecx], 0 00404A4C \|.^ 75 F9 \jnz short 00404A47 00404A4E \> C3 retn 00404A4F /$ 03D1 add edx, ecx 00404A51 \|. 33C0 xor eax, eax 00404A53 \|. 3BCA cmp ecx, edx 00404A55 \|. 74 1B je short 00404A72 00404A57 \|. 56 push esi 00404A58 \|. BE 54134000 mov esi, 00401354 ; ASCII "RunVM" 00404A5D \|. 2BF1 sub esi, ecx 00404A5F \|. 57 push edi 00404A60 \|> 0FB63C0E /movzx edi, byte ptr [esi+ecx] 00404A64 \|. 0FB601 \|movzx eax, byte ptr [ecx] 00404A67 \|. 2BC7 \|sub eax, edi 00404A69 \|. 75 05 \|jnz short 00404A70 00404A6B \|. 41 \|inc ecx 00404A6C \|. 3BCA \|cmp ecx, edx 00404A6E \|.^ 75 F0 \jnz short 00404A60 00404A70 \|> 5F pop edi 00404A71 \|. 5E pop esi 00404A72 \> C3 retn 00404A73 /$ 56 push esi 00404A74 \|. 8D3410 lea esi, dword ptr [eax+edx] 00404A77 \|. 8BC8 mov ecx, eax 00404A79 \|. 3BC6 cmp eax, esi 00404A7B \|. 74 12 je short 00404A8F 00404A7D \|. 57 push edi 00404A7E \|. 8B7C24 0C mov edi, dword ptr [esp+C] 00404A82 \|. 2BF8 sub edi, eax 00404A84 \|> 8A140F /mov dl, byte ptr [edi+ecx] 00404A87 \|. 8811 \|mov byte ptr [ecx], dl 00404A89 \|. 41 \|inc ecx 00404A8A \|. 3BCE \|cmp ecx, esi 00404A8C \|.^ 75 F6 \jnz short 00404A84 00404A8E \|. 5F pop edi 00404A8F \|> 5E pop esi 00404A90 \. C3 retn 00404A91 . FF7424 04 push dword ptr [esp+4] ; /pMemory 00404A95 . 6A 00 push 0 ; \|Flags = 0 00404A97 . FF15 04C04100 call dword ptr [<&KERNEL32.GetProcess>; \|[GetProcessHeap 00404A9D . 50 push eax ; \|hHeap 00404A9E . FF15 08C04100 call dword ptr [<&KERNEL32.HeapFree>] ; \HeapFree 00404AA4 . C3 retn 00404AA5 . FF7424 04 push dword ptr [esp+4] ; /dwBytes 00404AA9 . 6A 00 push 0 ; \|dwFlags = 0 00404AAB . FF15 04C04100 call dword ptr [<&KERNEL32.GetProcess>; \|[GetProcessHeap 00404AB1 . 50 push eax ; \|hHeap 00404AB2 . FF15 00C04100 call dword ptr [<&KERNEL32.HeapAlloc>>; \RtlAllocateHeap 00404AB8 . C3 retn 00404AB9 CC int3 00404ABA CC int3 00404ABB CC int3 00404ABC E4 db E4 00404ABD 4A db 4A ; CHAR 'J' 00404ABE 00 db 00 00404ABF 00 db 00 00404AC0 00 db 00 00404AC1 00 db 00 00404AC2 00 db 00 00404AC3 00 db 00 00404AC4 00 db 00 00404AC5 00 db 00 00404AC6 00 db 00 00404AC7 00 db 00 00404AC8 B6 db B6 00404AC9 4C db 4C ; CHAR 'L' 00404ACA 00 db 00 00404ACB 00 db 00 00404ACC 00 db 00 00404ACD 10 db 10 00404ACE 00 db 00 00404ACF 00 db 00 00404AD0 00 db 00 00404AD1 00 db 00 00404AD2 00 db 00 00404AD3 00 db 00 00404AD4 00 db 00 00404AD5 00 db 00 00404AD6 00 db 00 00404AD7 00 db 00 00404AD8 00 db 00 00404AD9 00 db 00 00404ADA 00 db 00 00404ADB 00 db 00 00404ADC 00 db 00 00404ADD 00 db 00 00404ADE 00 db 00 00404ADF 00 db 00 00404AE0 00 db 00 00404AE1 00 db 00 00404AE2 00 db 00 00404AE3 00 db 00 00404AE4 . 3C 4B 00 ascii "<K",0 00404AE7 00 db 00 00404AE8 . 48 4B 00 ascii "HK",0 00404AEB 00 db 00 00404AEC . 5A 4B 00 ascii "ZK",0 00404AEF 00 db 00 00404AF0 . 66 4B 00 ascii "fK",0 00404AF3 00 db 00 00404AF4 . 76 4B 00 ascii "vK",0 00404AF7 00 db 00 00404AF8 8C db 8C 00404AF9 4B db 4B ; CHAR 'K' 00404AFA 00 db 00 00404AFB 00 db 00 00404AFC A6 db A6 00404AFD 4B db 4B ; CHAR 'K' 00404AFE 00 db 00 00404AFF 00 db 00 00404B00 BC db BC 00404B01 4B db 4B ; CHAR 'K' 00404B02 00 db 00 00404B03 00 db 00 00404B04 D0 db D0 00404B05 4B db 4B ; CHAR 'K' 00404B06 00 db 00 00404B07 00 db 00 00404B08 E0 db E0 00404B09 4B db 4B ; CHAR 'K' 00404B0A 00 db 00 00404B0B 00 db 00 00404B0C F0 db F0 00404B0D 4B db 4B ; CHAR 'K' 00404B0E 00 db 00 00404B0F 00 db 00 00404B10 FE db FE 00404B11 4B db 4B ; CHAR 'K' 00404B12 00 db 00 00404B13 00 db 00 00404B14 0C db 0C 00404B15 4C db 4C ; CHAR 'L' 00404B16 00 db 00 00404B17 00 db 00 00404B18 . 22 4C 00 ascii ""L",0 00404B1B 00 db 00 00404B1C . 34 4C 00 ascii "4L",0 00404B1F 00 db 00 00404B20 . 52 4C 00 ascii "RL",0 00404B23 00 db 00 00404B24 . 62 4C 00 ascii "bL",0 00404B27 00 db 00 00404B28 . 70 4C 00 ascii "pL",0 00404B2B 00 db 00 00404B2C 84 db 84 00404B2D 4C db 4C ; CHAR 'L' 00404B2E 00 db 00 00404B2F 00 db 00 00404B30 94 db 94 00404B31 4C db 4C ; CHAR 'L' 00404B32 00 db 00 00404B33 00 db 00 00404B34 A6 db A6 00404B35 4C db 4C ; CHAR 'L' 00404B36 00 db 00 00404B37 00 db 00 00404B38 00 db 00 00404B39 00 db 00 00404B3A 00 db 00 00404B3B 00 db 00 00404B3C 9D db 9D 00404B3D . 02 db 02 00404B3E . 48 65 ascii "He" 00404B40 . 61 70 41 6C 6>ascii "apAlloc",0 00404B48 23 db 23 ; CHAR '#' 00404B49 . 02 db 02 00404B4A . 47 65 ascii "Ge" 00404B4C . 74 50 72 6F 6>ascii "tProcessHeap",0 00404B59 00 db 00 00404B5A A1 db A1 00404B5B . 02 db 02 00404B5C . 48 65 ascii "He" 00404B5E . 61 70 46 72 6>ascii "apFree",0 00404B65 00 db 00 00404B66 66 db 66 ; CHAR 'f' 00404B67 . 02 db 02 00404B68 . 47 65 ascii "Ge" 00404B6A . 74 54 69 63 6>ascii "tTickCount",0 00404B75 00 db 00 00404B76 F5 db F5 00404B77 01 db 01 00404B78 . 47 65 74 4D 6>ascii "GetModuleFileNam" 00404B88 . 65 57 00 ascii "eW",0 00404B8B 00 db 00 00404B8C D1 db D1 00404B8D . 03 db 03 00404B8E . 53 65 74 ascii "Set" 00404B91 . 45 6E 76 69 7>ascii "EnvironmentVaria" 00404BA1 . 62 6C 65 57 0>ascii "bleW",0 00404BA6 AA db AA 00404BA7 01 db 01 00404BA8 . 47 65 74 43 7>ascii "GetCurrentProces" 00404BB8 . 73 49 64 00 ascii "sId",0 00404BBC 2C db 2C ; CHAR ',' 00404BBD . 03 db 03 00404BBE . 4F 70 65 ascii "Ope" 00404BC1 . 6E 46 69 6C 6>ascii "nFileMappingW",0 00404BCF 00 db 00 00404BD0 E6 db E6 00404BD1 01 db 01 00404BD2 . 47 65 74 4C 6>ascii "GetLastError",0 00404BDF 00 db 00 00404BE0 0A db 0A 00404BE1 . 03 db 03 00404BE2 . 4D 61 70 ascii "Map" 00404BE5 . 56 69 65 77 4>ascii "ViewOfFile",0 00404BF0 43 db 43 ; CHAR 'C' 00404BF1 00 db 00 00404BF2 . 43 6C 6F 73 6>ascii "CloseHandle",0 00404BFE 7F db 7F 00404BFF 00 db 00 00404C00 . 43 72 65 61 7>ascii "CreateFileW",0 00404C0C 7C db 7C ; CHAR '\|' 00404C0D 00 db 00 00404C0E . 43 72 65 61 7>ascii "CreateFileMappin" 00404C1E . 67 57 00 ascii "gW",0 00404C21 00 db 00 00404C22 41 db 41 ; CHAR 'A' 00404C23 . 04 db 04 00404C24 . 55 6E 6D 61 ascii "Unma" 00404C28 . 70 56 69 65 7>ascii "pViewOfFile",0 00404C34 D0 db D0 00404C35 01 db 01 00404C36 . 47 65 74 46 6>ascii "GetFileInformati" 00404C46 . 6F 6E 42 79 4>ascii "onByHandle",0 00404C51 00 db 00 00404C52 54 db 54 ; CHAR 'T' 00404C53 . 04 db 04 00404C54 . 56 69 72 74 ascii "Virt" 00404C58 . 75 61 6C 41 6>ascii "ualAlloc",0 00404C61 00 db 00 00404C62 57 db 57 ; CHAR 'W' 00404C63 . 04 db 04 00404C64 . 56 69 72 74 ascii "Virt" 00404C68 . 75 61 6C 46 7>ascii "ualFree",0 00404C70 F6 db F6 00404C71 01 db 01 00404C72 . 47 65 74 4D 6>ascii "GetModuleHandleA" 00404C82 . 00 ascii 0 00404C83 00 db 00 00404C84 D5 db D5 00404C85 01 db 01 00404C86 . 47 65 74 46 6>ascii "GetFileSizeEx",0 00404C94 20 db 20 ; CHAR ' ' 00404C95 . 02 db 02 00404C96 . 47 65 ascii "Ge" 00404C98 . 74 50 72 6F 6>ascii "tProcAddress",0 00404CA5 00 db 00 00404CA6 F4 db F4 00404CA7 . 02 db 02 00404CA8 . 4C 6F ascii "Lo" 00404CAA . 61 64 4C 69 6>ascii "adLibraryW",0 00404CB5 00 db 00 00404CB6 . 4B 45 52 4E 4>ascii "KERNEL32.dll",0 00404CC3 00 db 00 请网友指点在那里下断密码输入跳转 2010-12-20 19:30 0
杨氏雪币： 25 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 20 粉丝 0 关注私信	杨氏 20 楼 004048E5 \|. FF5424 2C call dword ptr [esp+2C]-------------猛跳，跟进去很难跑出来，就是用自动步入也难跑出。窗口在这里弹出要密码才能进去 004048E9 \|. 83C4 1C add esp, 1C---------------------窗口跳出要输入密码才能进真正的软件。如果密码不对就进不去。也没有什么断点可以下，下不了 004048EC \|. EB 61 jmp short 0040494F 004048EE \|> 68 14124000 push 00401214 ; UNICODE "0x00023: " 004048F3 \|> 8DB424 BC0000>lea esi, dword ptr [esp+BC] 004048FA \|. E8 CE000000 call 004049CD 004048FF \|. 8B4424 10 mov eax, dword ptr [esp+10] 00404903 \|> 6A 0A push 0A 00404905 \|. 8D8C24 BC0000>lea ecx, dword ptr [esp+BC] 0040490C \|. E8 56000000 call 00404967 00404911 \|. 68 20114000 push 00401120 ; UNICODE "There has been an error starting this virtual appliance. Error code: " 00404916 \|. 8BC3 mov eax, ebx 00404918 \|. E8 EA000000 call 00404A07不知道在那里下断点。下密码断点也不可以。下窗口也不可以。现在这个代码应该是关键下断的。 0040491D \|. 8D8424 B80000>lea eax, dword ptr [esp+B8] 00404924 \|. 50 push eax 00404925 \|> 8BF3 mov esi, ebx 00404927 \|. E8 A1000000 call 004049CD 0040492C \|> 68 80134000 push 00401380 ; /ProcNameOrOrdinal = "MessageBoxW" 00404931 \|. 68 8C134000 push 0040138C ; \|/FileName = "user32.dll" 00404936 \|. FF15 50C04100 call dword ptr [<&KERNEL32.LoadLibrar>; \|\LoadLibraryW 0040493C \|. 50 push eax ; \|hModule 0040493D \|. FF15 4CC04100 call dword ptr [<&KERNEL32.GetProcAdd>; \GetProcAddress 00404943 \|. 6A 10 push 10 00404945 \|. 68 A8134000 push 004013A8 ; UNICODE "Xenocode Virtual Appliance Runtime" 0040494A \|. 53 push ebx 0040494B \|. 6A 00 push 0 0040494D \|. FFD0 call eax 0040494F \|> 5F pop edi 00404950 \|. 5E pop esi 00404951 \|. 5B pop ebx 00404952 \|. 8BE5 mov esp, ebp 00404954 \|. 5D pop ebp 00404955 \. C3 retn 00404956 /$ 33C0 xor eax, eax 00404958 \|. 66:3901 cmp word ptr [ecx], ax 0040495B \|. 74 09 je short 00404966 0040495D \|> 40 /inc eax 0040495E \|. 41 \|inc ecx 0040495F \|. 41 \|inc ecx 00404960 \|. 66:8339 00 \|cmp word ptr [ecx], 0 00404964 \|.^ 75 F7 \jnz short 0040495D 00404966 \> C3 retn 00404967 /$ 56 push esi 00404968 \|. 8BB1 14040000 mov esi, dword ptr [ecx+414] 0040496E \|. 57 push edi 0040496F \|> 33D2 /xor edx, edx 00404971 \|. F77424 0C \|div dword ptr [esp+C] 00404975 \|. 8BB9 14040000 \|mov edi, dword ptr [ecx+414] 0040497B \|. 66:8B1455 801>\|mov dx, word ptr [edx2+401080] 00404983 \|. 66:891479 \|mov word ptr [ecx+edi2], dx 00404987 \|. FF81 14040000 \|inc dword ptr [ecx+414] 0040498D \|. 8B91 14040000 \|mov edx, dword ptr [ecx+414] 00404993 \|. 85C0 \|test eax, eax 00404995 \|.^ 77 D8 \ja short 0040496F 00404997 \|. 33C0 xor eax, eax 00404999 \|. 66:890451 mov word ptr [ecx+edx2], ax 0040499D \|. 8B81 14040000 mov eax, dword ptr [ecx+414] 004049A3 \|. EB 11 jmp short 004049B6 004049A5 \|> 0FB71471 /movzx edx, word ptr [ecx+esi2] 004049A9 \|. 66:8B3C41 \|mov di, word ptr [ecx+eax2] 004049AD \|. 66:893C71 \|mov word ptr [ecx+esi2], di 004049B1 \|. 66:891441 \|mov word ptr [ecx+eax2], dx 004049B5 \|. 46 \|inc esi 004049B6 \|> 48 dec eax 004049B7 \|. 3BF0 \|cmp esi, eax 004049B9 \|.^ 72 EA \jb short 004049A5 004049BB \|. 5F pop edi 004049BC \|. 5E pop esi 004049BD \. C2 0400 retn 4 004049C0 . 83A0 14040000>and dword ptr [eax+414], 0 004049C7 . 33C9 xor ecx, ecx 004049C9 . 66:8908 mov word ptr [eax], cx 004049CC . C3 retn 004049CD /$ 8B4C24 04 mov ecx, dword ptr [esp+4] 004049D1 \|. 57 push edi 004049D2 \|. E8 7FFFFFFF call 00404956 004049D7 \|. FF7424 08 push dword ptr [esp+8] 004049DB \|. 8BF8 mov edi, eax 004049DD \|. 8B86 14040000 mov eax, dword ptr [esi+414] 004049E3 \|. 8D143F lea edx, dword ptr [edi+edi] 004049E6 \|. 8D0446 lea eax, dword ptr [esi+eax2] 004049E9 \|. E8 85000000 call 00404A73 004049EE \|. 8B86 14040000 mov eax, dword ptr [esi+414] 004049F4 \|. 59 pop ecx 004049F5 \|. 03C7 add eax, edi 004049F7 \|. 33C9 xor ecx, ecx 004049F9 \|. 66:890C46 mov word ptr [esi+eax*2], cx 004049FD \|. 01BE 14040000 add dword ptr [esi+414], edi 00404A03 \|. 5F pop edi 00404A04 \. C2 0400 retn 4 00404A07 /$ 56 push esi 00404A08 \|. FF7424 08 push dword ptr [esp+8] 00404A0C \|. 8BF0 mov esi, eax 00404A0E \|. 83A6 14040000>and dword ptr [esi+414], 0 00404A15 \|. 33C0 xor eax, eax 00404A17 \|. 66:8906 mov word ptr [esi], ax 00404A1A \|. E8 AEFFFFFF call 004049CD 00404A1F \|. 5E pop esi 00404A20 \. C2 0400 retn 4 00404A23 /$ 56 push esi 00404A24 \|. FF7424 08 push dword ptr [esp+8] 00404A28 \|. 8BF0 mov esi, eax 00404A2A \|. 83A6 14040000>and dword ptr [esi+414], 0 00404A31 \|. 33C0 xor eax, eax 00404A33 \|. 66:8906 mov word ptr [esi], ax 00404A36 \|. E8 92FFFFFF call 004049CD 00404A3B \|. 8BC6 mov eax, esi 00404A3D \|. 5E pop esi 00404A3E \. C2 0400 retn 4 00404A41 /$ 33C0 xor eax, eax 00404A43 \|. 3801 cmp byte ptr [ecx], al 00404A45 \|. 74 07 je short 00404A4E 00404A47 \|> 40 /inc eax 00404A48 \|. 41 \|inc ecx 00404A49 \|. 8039 00 \|cmp byte ptr [ecx], 0 00404A4C \|.^ 75 F9 \jnz short 00404A47 00404A4E \> C3 retn 00404A4F /$ 03D1 add edx, ecx 00404A51 \|. 33C0 xor eax, eax 00404A53 \|. 3BCA cmp ecx, edx 00404A55 \|. 74 1B je short 00404A72 00404A57 \|. 56 push esi 00404A58 \|. BE 54134000 mov esi, 00401354 ; ASCII "RunVM" 00404A5D \|. 2BF1 sub esi, ecx 00404A5F \|. 57 push edi 00404A60 \|> 0FB63C0E /movzx edi, byte ptr [esi+ecx] 00404A64 \|. 0FB601 \|movzx eax, byte ptr [ecx] 00404A67 \|. 2BC7 \|sub eax, edi 00404A69 \|. 75 05 \|jnz short 00404A70 00404A6B \|. 41 \|inc ecx 00404A6C \|. 3BCA \|cmp ecx, edx 00404A6E \|.^ 75 F0 \jnz short 00404A60 00404A70 \|> 5F pop edi 00404A71 \|. 5E pop esi 00404A72 \> C3 retn 00404A73 /$ 56 push esi 00404A74 \|. 8D3410 lea esi, dword ptr [eax+edx] 00404A77 \|. 8BC8 mov ecx, eax 00404A79 \|. 3BC6 cmp eax, esi 00404A7B \|. 74 12 je short 00404A8F 00404A7D \|. 57 push edi 00404A7E \|. 8B7C24 0C mov edi, dword ptr [esp+C] 00404A82 \|. 2BF8 sub edi, eax 00404A84 \|> 8A140F /mov dl, byte ptr [edi+ecx] 00404A87 \|. 8811 \|mov byte ptr [ecx], dl 00404A89 \|. 41 \|inc ecx 00404A8A \|. 3BCE \|cmp ecx, esi 00404A8C \|.^ 75 F6 \jnz short 00404A84 00404A8E \|. 5F pop edi 00404A8F \|> 5E pop esi 00404A90 \. C3 retn 00404A91 . FF7424 04 push dword ptr [esp+4] ; /pMemory 00404A95 . 6A 00 push 0 ; \|Flags = 0 00404A97 . FF15 04C04100 call dword ptr [<&KERNEL32.GetProcess>; \|[GetProcessHeap 00404A9D . 50 push eax ; \|hHeap 00404A9E . FF15 08C04100 call dword ptr [<&KERNEL32.HeapFree>] ; \HeapFree 00404AA4 . C3 retn 00404AA5 . FF7424 04 push dword ptr [esp+4] ; /dwBytes 00404AA9 . 6A 00 push 0 ; \|dwFlags = 0 00404AAB . FF15 04C04100 call dword ptr [<&KERNEL32.GetProcess>; \|[GetProcessHeap 00404AB1 . 50 push eax ; \|hHeap 00404AB2 . FF15 00C04100 call dword ptr [<&KERNEL32.HeapAlloc>>; \RtlAllocateHeap 00404AB8 . C3 retn 00404AB9 CC int3 00404ABA CC int3 00404ABB CC int3 软件是在华军网站下载的http://www.newhua.com/soft/66790.htm 不知道在那里下断点。下密码断点也不可以。下窗口也不可以。现在这个代码应该是关键下断的。我试了几次都不可以。迷茫呀。请网友指点一下我这个菜鸟吧。看过的客官给点意见吧 2010-12-21 21:34 0
易天雪币： 126 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 16 粉丝 0 关注私信	易天 21 楼完全看不懂~~~哎呀~~ 2010-12-22 00:07 0
wjwqp 雪币： 201 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 2 粉丝 0 关注私信	wjwqp 22 楼学习关注中。。。 2010-12-22 00:52 0
杨氏雪币： 25 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 20 粉丝 0 关注私信	杨氏 23 楼汗......... ybhdgggset 网友指点指点是NET软件之类的我在网上加了一个网友再经他指点才知道是用Xenocode 2008混编写的。折腾了大半个月时间在徘徊。用OD是很难调试出来的，要用C32Asm和NET之类的调试现在是知道我是不能PJ的了。哎，我菜的很，不过我上班的时候有时间。就再捣鼓捣鼓吧。还没有脱壳。那位网友也不能脱，只好再找找资料再折腾一番吧。有这类脱壳经验的网友希望你们能指点一下。 2010-12-22 22:56 0
空佑雪币： 156 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 75 粉丝 0 关注私信	空佑 24 楼围观中。。。 2010-12-23 08:48 0
杨氏雪币： 25 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 20 粉丝 0 关注私信	杨氏 25 楼还是没有捣鼓出来。用工具脱壳后用OD调试跑飞了。还是要手工脱壳呀。看了不少这样的文章，也有很大的收获。在这感谢看看的大大们。是您们无私的贡献出来破文我才看见一点这个软件的苗头。革命尚未成功。只能在努力了。看不能写出来第一篇破文出来。看着大大们写出来的文章实在是受用，谢谢！ 2010-12-26 04:18 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

杨氏

发帖

回帖

RANK

关注

私信

他的文章

[讨论]相当复杂的破解。请高手求解 2385

关于我们

联系我们

企业服务

看雪公众号

最新回复 (24)
杨氏雪币： 25 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 20 粉丝 0 关注私信	杨氏 2 楼有大家还不明白的嘛，请大家指点一下 2010-12-1 22:50 0
潜行者aa 雪币： 2 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 2 粉丝 0 关注私信	潜行者aa 3 楼即然是免费的,可能没加壳.先用PEID查查.如果没加壳,用OD直接载入运行,会出现一个对话框,提示输入密码,试输入一个好记的码,点确定,然后会提示错误,这时缓几秒按暂停(F12),然后点击查看-调用椎栈,这时会看到对话框显示的内容,点击程序名称处或程序DLL所指示处-右键-显示调用,然后就可以看到调用API的CALL,向上找到一个关键跳转,并爆破它,保存修改就可以了.(jne 改为je,或jnz改为jz)或者反过来改,总之要跳过提示错误的字符串. 2010-12-1 23:08 0
杨氏雪币： 25 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 20 粉丝 0 关注私信	杨氏 4 楼按照上面网友的提议。有些进展。不过还是有点问题。软件只有一个EXE的没有那些DLL之类的，看了一下进程。它是要调动NET Framework 2.0软件来运作的。如果你随便输入密码就是不能用软件里面的按钮。可能里面有两个软件合并在一起的。大家也可以在我上面的网址那里下载一个来试试。里面太多循环了。上面的代码还没有完全展开的。有兴趣的网友可以试试。 2010-12-2 17:51 0
杨氏雪币： 25 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 20 粉丝 0 关注私信	杨氏 5 楼完全没有上面串号字符之类的提示的。一进去软件就要密码。密码是这样的。比如今天是12.1号密码是123456.明天12.2号密码换成123789之类的了。如果你把系统日期调回12.1号，密码呢还是123456。就是这样用起来相当的麻烦。想购买他本人又不卖。所以才想到破解试试。 2010-12-2 17:57 0
Ｚg真理雪币： 87 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 19 粉丝 1 关注私信	Ｚg真理 6 楼我记得工具包里有个灰按钮克星。。。直接解除禁用就可以了吧……新手，不懂的瞎说，勿怪。 2010-12-2 18:28 0
杨氏雪币： 25 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 20 粉丝 0 关注私信	杨氏 7 楼楼上的网友。我现在用的就是破解助手2008里面的工具。灰色按钮我早就试过了。我想破解的软件里面的程序都把那个按键的功能键都关闭了。所以用不了的。要不是在我提供的网址下载一个软件试试。看你能不能破解。现在我把程序破解在这个位置了。在关键部位上（我是这样想的）请大家指点指点。我是用OllyICE软件来破解的。现在破译在这个位置上 004F8C8A /74 07 je short 004F8C93 004F8C8C \|E8 90CAFEFF call 004E5721 004F8C91 \|EB 05 jmp short 004F8C98 004F8C93 \E8 DCA3FEFF call 004E3074 我不知道现在要断那个点。都试了一下。但是还是不能用。也不知道是不是在关键的位置上调用堆栈：主线程地址堆栈函数过程 / 参数调用来自结构 0012F0FC 7C92DF5A 包含ntdll.KiFastSystemCallRet ntdll.7C92DF58 0012F124 0012F100 004F1573 003D0046 004F156D 0012F124 0012F128 7C8025CB ntdll.ZwWaitForSingleObject kernel32.7C8025C5 0012F124 0012F18C 7C802532 ? kernel32.WaitForSingleObjectEx kernel32.7C80252D 0012F188 0012F190 00000254 hObject = 00000254 (window) 0012F194 FFFFFFFF Timeout = INFINITE 0012F198 00000000 fAlertable = FALSE 0012F1A0 004E3044 ? kernel32.WaitForSingleObject 004E303E 0012F19C 0012F1A4 00000254 hObject = 00000254 (window) 0012F1A8 FFFFFFFF Timeout = INFINITE 0012F204 004E30B9 004E2F1C 004E30B4 0012F200 0012F224 004F8C98 004E3074 004F8C93 0012F274 0012F278 004F8F3F 004F8A6C 004F8F3A 0012F274 0012F2A0 004048E9 包含004F8F3F 双色球过.<模块入口点>+6D6 0012F29C 0012FFC4 7C816FE7 双色球过.<模块入口点> kernel32.7C816FE4 0012FFC0 这是调用堆栈。请大家看看 2010-12-2 21:33 0
杨氏雪币： 25 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 20 粉丝 0 关注私信	杨氏 8 楼想要破译的软件下载是http://www.newhua.com/soft/66790.htm 2010-12-2 21:36 0
comewisdom 雪币： 473 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 130 粉丝 0 关注私信	comewisdom 9 楼学习中......................... 2010-12-3 17:54 0
杨氏雪币： 25 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 20 粉丝 0 关注私信	杨氏 10 楼今日再花两个小时在破译发现软件里面就有3个模块一个是双色球过，一个是ntdll,一个是kernel32。花了几天来查壳。（是有在网上找到的自动查壳软件）查出来的都是显示Borland Delphi 3.0软件编的软件。也不敢断定一定没有壳。但是在OllyICE软件里面可以看见3个模块说明是没有加壳的吧。我也不知道是不是这样认为。请各位高手看见指点指点.谢谢 2010-12-3 19:21 0
杨氏雪币： 25 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 20 粉丝 0 关注私信	杨氏 11 楼再捣鼓了几天还是没有上面进展。请高手指点指点。鄙人不胜感谢。谢谢 2010-12-9 23:00 0
ybhdgggset 雪币： 959 活跃值： (66) 能力值： ( LV2，RANK：10 ) 在线值：发帖 6 回帖 141 粉丝 0 关注私信	ybhdgggset 12 楼程序中的readme 如果运行不正常，可能是你的系统没有安装 Microsoft .NET Framework 2.0 说明该程序是基于.Net的，用PEiD查壳，说是Delphi，看了加密与解密第三版中有这样一句话，"如果一个程序声明必须在.Net下运行，但用PEiD检测却是Win32程序，多半这个程序已经被加密了。" 我也是新手，希望楼主好好看看加密与解密三中第九章 .Net平台加解密 2010-12-10 10:56 0
bora 雪币： 230 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 4 粉丝 0 关注私信	bora 13 楼肯定是个加过的程序 2010-12-10 11:37 0
sjfhezhff 雪币： 32 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 1 粉丝 0 关注私信	sjfhezhff 14 楼毫无头绪~~根本不知道怎么跟。 2010-12-10 13:23 0
杨氏雪币： 25 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 20 粉丝 0 关注私信	杨氏 15 楼谢谢以上网友指点。非常感谢。我有捣鼓了好几天还是没有什么进展。这几天都在查看这方面的资料。对这个软件也是加深了一点看法。我想用DeDe软件里面的按键之类的。但是DeDe是这样说的“发现使用时间包编译的应用程序”。也是知道这个软件是加壳了。而且还加密了。连一个字符串都没有什么提示的。现在我都实在是不知道这个软件是属于Delphi编写的还是VC6.0写的还是属于NET之类的。我也用IDA Pro看了一下。里面有一个MD5什么编号的。不知道有没有什么软件可以查看时什么软件加密的或者是有什么算法加密的。用这个软件就恼火。不用吧又想用。要用吧天天换一个密码的变态换法。着个软件是一定要NET2.0安装后才能用的、我用OD跟踪无论是单步跟踪还是ESP定律都什么反应用点法脱壳后有不能用。在这里还是请各位提点意见指点一下。鄙人不胜感谢。谢谢 2010-12-19 22:17 0
szyg 雪币： 114 活跃值： (11) 能力值： ( LV2，RANK：10 ) 在线值：发帖 6 回帖 93 粉丝 0 关注私信	szyg 16 楼这不是双色球软件吗，你用哪个版本呀，我也在用 2010-12-19 22:22 0
杨氏雪币： 25 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 20 粉丝 0 关注私信	杨氏 17 楼这个软件是用Delphi.NET编写的。还加了密。这是我刚查看资料看见的。有网友知道怎么PJ的请指点一下。 2010-12-19 23:50 0
杨氏雪币： 25 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 20 粉丝 0 关注私信	杨氏 18 楼这不是双色球软件吗，你用哪个版本呀，我也在用是的。1.03.版本。你有这软件PJ版嘛、不要老是输入密码的哦。有的话希望给传上来。谢谢！ 2010-12-19 23:53 0
杨氏雪币： 25 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 20 粉丝 0 关注私信	杨氏 19 楼 0040420F >/$ 55 push ebp 00404210 \|. 8BEC mov ebp, esp 00404212 \|. 83E4 F8 and esp, FFFFFFF8 00404215 \|. 81EC F40C0000 sub esp, 0CF4 0040421B \|. 53 push ebx 0040421C \|. 56 push esi 0040421D \|. 57 push edi 0040421E \|. E8 82FBFFFF call 00403DA5 00404223 \|. 8B35 0CC04100 mov esi, dword ptr [<&KERNEL32.GetTi>; kernel32.GetTickCount 00404229 \|. FFD6 call esi ; [GetTickCount 0040422B \|. 83E0 11 and eax, 11 0040422E \|. BB 10504000 mov ebx, 00405010 00404233 \|. 3D 11010000 cmp eax, 111 00404238 \|. 0F84 21040000 je 0040465F 0040423E \|. FFD6 call esi ; [GetTickCount 00404240 \|. A3 0C504000 mov dword ptr [40500C], eax 00404245 \|> E8 4DFCFFFF /call 00403E97 0040424A \|. 8BC8 \|mov ecx, eax 0040424C \|. 2B0D 0C504000 \|sub ecx, dword ptr [40500C] 00404252 \|. 6A 03 \|push 3 00404254 \|. 33D2 \|xor edx, edx 00404256 \|. 8BC1 \|mov eax, ecx 00404258 \|. 5E \|pop esi 00404259 \|. F7F6 \|div esi 0040425B \|. F7C1 0080FFFF \|test ecx, FFFF8000 00404261 \|. 0F85 A9020000 \|jnz 00404510 00404267 \|. 33C0 \|xor eax, eax 00404269 \|. 33FF \|xor edi, edi 0040426B \|. 89BC24 E40800>\|mov dword ptr [esp+8E4], edi 00404272 \|. 66:898424 D00>\|mov word ptr [esp+4D0], ax 0040427A \|. 89BC24 CC0400>\|mov dword ptr [esp+4CC], edi 00404281 \|. 66:898424 B80>\|mov word ptr [esp+B8], ax 00404289 \|. E8 09FCFFFF \|call 00403E97 0040428E \|. 8BC8 \|mov ecx, eax 00404290 \|. 2B0D 0C504000 \|sub ecx, dword ptr [40500C] 00404296 \|. 33D2 \|xor edx, edx 00404298 \|. 8BC1 \|mov eax, ecx 0040429A \|. F7F6 \|div esi 0040429C \|. F7C1 0080FFFF \|test ecx, FFFF8000 004042A2 \|. 0F85 4D010000 \|jnz 004043F5 004042A8 \|. 68 D8104000 \|push 004010D8 ; UNICODE "_xvm_mem_process_info_0x" 004042AD \|. 8D8424 EC0800>\|lea eax, dword ptr [esp+8EC] 004042B4 \|. E8 6A070000 \|call 00404A23 004042B9 \|. 6A 10 \|push 10 004042BB \|. FF15 18C04100 \|call dword ptr [<&KERNEL32.GetCurren>; [GetCurrentProcessId 004042C1 \|. 8D8C24 EC0800>\|lea ecx, dword ptr [esp+8EC] 004042C8 \|. E8 9A060000 \|call 00404967 004042CD \|. 8B35 1CC04100 \|mov esi, dword ptr [<&KERNEL32.Open>; kernel32.OpenFileMappingW 004042D3 \|. 8BC1 \|mov eax, ecx 004042D5 \|. 50 \|push eax ; /MappingName 004042D6 \|. 57 \|push edi ; \|InheritHandle 004042D7 \|. 6A 04 \|push 4 ; \|Access = FILE_MAP_READ 004042D9 \|. 897C24 40 \|mov dword ptr [esp+40], edi ; \| 004042DD \|. 897C24 44 \|mov dword ptr [esp+44], edi ; \| 004042E1 \|. FFD6 \|call esi ; \OpenFileMappingW 004042E3 \|. 894424 14 \|mov dword ptr [esp+14], eax 004042E7 \|. FF15 20C04100 \|call dword ptr [<&KERNEL32.GetLastEr>; [GetLastError 004042ED \|. 894424 10 \|mov dword ptr [esp+10], eax 004042F1 \|. 397C24 14 \|cmp dword ptr [esp+14], edi 004042F5 \|. 0F84 AC000000 \|je 004043A7 004042FB \|. 57 \|push edi ; /MapSize 004042FC \|. 57 \|push edi ; \|OffsetLow 004042FD \|. 57 \|push edi ; \|OffsetHigh 004042FE \|. 6A 04 \|push 4 ; \|AccessMode = FILE_MAP_READ 00404300 \|. FF7424 24 \|push dword ptr [esp+24] ; \|hMapObject 00404304 \|. FF15 24C04100 \|call dword ptr [<&KERNEL32.MapViewOf>; \MapViewOfFile 0040430A \|. 894424 34 \|mov dword ptr [esp+34], eax 0040430E \|. 3BC7 \|cmp eax, edi 00404310 \|. 0F84 46040000 \|je 0040475C 00404316 \|. 68 B0114000 \|push 004011B0 ; UNICODE "_xvm_mem_application_info_0x" 0040431B \|. 8D8424 EC0800>\|lea eax, dword ptr [esp+8EC] 00404322 \|. E8 E0060000 \|call 00404A07 00404327 \|. 8B4424 34 \|mov eax, dword ptr [esp+34] 0040432B \|. 8B80 10020000 \|mov eax, dword ptr [eax+210] 00404331 \|. 6A 10 \|push 10 00404333 \|. 8D8C24 EC0800>\|lea ecx, dword ptr [esp+8EC] 0040433A \|. E8 28060000 \|call 00404967 0040433F \|. FF7424 14 \|push dword ptr [esp+14] ; /hObject 00404343 \|. FF15 28C04100 \|call dword ptr [<&KERNEL32.CloseHand>; \CloseHandle 00404349 \|. 8D8424 E80800>\|lea eax, dword ptr [esp+8E8] 00404350 \|. 50 \|push eax 00404351 \|. 57 \|push edi 00404352 \|. 6A 04 \|push 4 00404354 \|. FFD6 \|call esi 00404356 \|. 8B35 20C04100 \|mov esi, dword ptr [<&KERNEL32.GetL>; ntdll.RtlGetLastWin32Error 0040435C \|. 894424 14 \|mov dword ptr [esp+14], eax 00404360 \|. FFD6 \|call esi ; [GetLastError 00404362 \|. 894424 10 \|mov dword ptr [esp+10], eax 00404366 \|. 397C24 14 \|cmp dword ptr [esp+14], edi 0040436A \|. 0F84 15040000 \|je 00404785 00404370 \|. 57 \|push edi ; /MapSize 00404371 \|. 57 \|push edi ; \|OffsetLow 00404372 \|. 57 \|push edi ; \|OffsetHigh 00404373 \|. 6A 04 \|push 4 ; \|AccessMode = FILE_MAP_READ 00404375 \|. FF7424 24 \|push dword ptr [esp+24] ; \|hMapObject 00404379 \|. FF15 24C04100 \|call dword ptr [<&KERNEL32.MapViewOf>; \MapViewOfFile 0040437F \|. 894424 38 \|mov dword ptr [esp+38], eax 00404383 \|. 3BC7 \|cmp eax, edi 00404385 \|. 0F84 F1030000 \|je 0040477C 0040438B \|. 83C0 0C \|add eax, 0C 0040438E \|. 50 \|push eax 0040438F \|. 8D8424 D40400>\|lea eax, dword ptr [esp+4D4] 00404396 \|. E8 6C060000 \|call 00404A07 0040439B \|. FF7424 14 \|push dword ptr [esp+14] ; /hObject 0040439F \|. FF15 28C04100 \|call dword ptr [<&KERNEL32.CloseHand>; \CloseHandle 004043A5 \|. EB 30 \|jmp short 004043D7 004043A7 \|> 83F8 02 \|cmp eax, 2 004043AA \|. 0F85 3E050000 \|jnz 004048EE 004043B0 \|. 68 04010000 \|push 104 ; /BufSize = 104 (260.) 004043B5 \|. 8D8424 D40400>\|lea eax, dword ptr [esp+4D4] ; \| 004043BC \|. 50 \|push eax ; \|PathBuffer 004043BD \|. 57 \|push edi ; \|hModule 004043BE \|. FF15 10C04100 \|call dword ptr [<&KERNEL32.GetModule>; \GetModuleFileNameW 004043C4 \|. 8D8C24 D00400>\|lea ecx, dword ptr [esp+4D0] 004043CB \|. E8 86050000 \|call 00404956 004043D0 \|. 898424 E40800>\|mov dword ptr [esp+8E4], eax 004043D7 \|> E8 BBFAFFFF \|call 00403E97 004043DC \|. 8BC8 \|mov ecx, eax 004043DE \|. 2B0D 0C504000 \|sub ecx, dword ptr [40500C] 004043E4 \|. 6A 03 \|push 3 004043E6 \|. 33D2 \|xor edx, edx 004043E8 \|. 8BC1 \|mov eax, ecx 004043EA \|. 5E \|pop esi 004043EB \|. F7F6 \|div esi 004043ED \|. F7C1 0080FFFF \|test ecx, FFFF8000 004043F3 \|. 74 07 \|je short 004043FC 004043F5 \|> 3BD7 \|cmp edx, edi 004043F7 \|. E9 16010000 \|jmp 00404512 004043FC \|> 8D8424 D00400>\|lea eax, dword ptr [esp+4D0] 00404403 \|. 50 \|push eax 00404404 \|. 8DB424 BC0000>\|lea esi, dword ptr [esp+BC] 0040440B \|. E8 BD050000 \|call 004049CD 00404410 \|. 68 28124000 \|push 00401228 ; UNICODE ", " 00404415 \|. E8 B3050000 \|call 004049CD 0040441A \|. 57 \|push edi ; /hTemplateFile 0040441B \|. 57 \|push edi ; \|Attributes 0040441C \|. 6A 03 \|push 3 ; \|Mode = OPEN_EXISTING 0040441E \|. 57 \|push edi ; \|pSecurity 0040441F \|. 6A 07 \|push 7 ; \|ShareMode = FILE_SHARE_READ\|FILE_SHARE_WRITE\|4 00404421 \|. 68 00000080 \|push 80000000 ; \|Access = GENERIC_READ 00404426 \|. 8D8424 E80400>\|lea eax, dword ptr [esp+4E8] ; \| 0040442D \|. 50 \|push eax ; \|FileName 0040442E \|. FF15 2CC04100 \|call dword ptr [<&KERNEL32.CreateFil>; \CreateFileW 00404434 \|. 894424 18 \|mov dword ptr [esp+18], eax 00404438 \|. 83F8 FF \|cmp eax, -1 0040443B \|. 0F84 4E030000 \|je 0040478F 00404441 \|. E8 98F9FFFF \|call 00403DDE 00404446 \|. 85C0 \|test eax, eax 00404448 \|.^ 0F85 F7FDFFFF \jnz 00404245 0040444E \|. 33FF xor edi, edi 00404450 \|. 57 push edi ; /MapName => NULL 00404451 \|. 57 push edi ; \|MaximumSizeLow => 0 00404452 \|. 57 push edi ; \|MaximumSizeHigh => 0 00404453 \|. 6A 02 push 2 ; \|Protection = PAGE_READONLY 00404455 \|. 57 push edi ; \|pSecurity => NULL 00404456 \|. FF7424 2C push dword ptr [esp+2C] ; \|hFile 0040445A \|. FF15 30C04100 call dword ptr [<&KERNEL32.CreateFile>; \CreateFileMappingW 00404460 \|. 894424 20 mov dword ptr [esp+20], eax 00404464 \|. 3BC7 cmp eax, edi 00404466 \|. 0F84 30030000 je 0040479C 0040446C \|. 8B35 24C04100 mov esi, dword ptr [<&KERNEL32.MapVi>; kernel32.MapViewOfFile 00404472 \|. 68 00100000 push 1000 ; /MapSize = 1000 (4096.) 00404477 \|. 57 push edi ; \|OffsetLow => 0 00404478 \|. 57 push edi ; \|OffsetHigh => 0 00404479 \|. 6A 04 push 4 ; \|AccessMode = FILE_MAP_READ 0040447B \|. 50 push eax ; \|hMapObject 0040447C \|. FFD6 call esi ; \MapViewOfFile 0040447E \|. 894424 1C mov dword ptr [esp+1C], eax 00404482 \|. 3BC7 cmp eax, edi 00404484 \|. 0F84 1F030000 je 004047A9 0040448A \|. 8BF8 mov edi, eax 0040448C \|. E8 83F9FFFF call 00403E14 00404491 \|. FF7424 1C push dword ptr [esp+1C] ; /BaseAddress 00404495 \|. 8BF8 mov edi, eax ; \| 00404497 \|. 897C24 34 mov dword ptr [esp+34], edi ; \| 0040449B \|. FF15 34C04100 call dword ptr [<&KERNEL32.UnmapViewO>; \UnmapViewOfFile 004044A1 \|. 8D8424 840000>lea eax, dword ptr [esp+84] 004044A8 \|. 50 push eax ; /pFileInformation 004044A9 \|. FF7424 1C push dword ptr [esp+1C] ; \|hFile 004044AD \|. FF15 38C04100 call dword ptr [<&KERNEL32.GetFileInf>; \GetFileInformationByHandle 004044B3 \|. 85C0 test eax, eax 004044B5 \|. 0F84 FB020000 je 004047B6 004044BB \|. 33C0 xor eax, eax 004044BD \|. 398424 A40000>cmp dword ptr [esp+A4], eax 004044C4 \|. 75 0D jnz short 004044D3 004044C6 \|. 39BC24 A80000>cmp dword ptr [esp+A8], edi 004044CD \|. 0F86 7C040000 jbe 0040494F 004044D3 \|> 81C7 00100000 add edi, 1000 004044D9 \|. 57 push edi 004044DA \|. 50 push eax 004044DB \|. 50 push eax 004044DC \|. 6A 04 push 4 004044DE \|. FF7424 30 push dword ptr [esp+30] 004044E2 \|. FFD6 call esi 004044E4 \|. 8BF0 mov esi, eax 004044E6 \|. 897424 1C mov dword ptr [esp+1C], esi 004044EA \|. 85F6 test esi, esi 004044EC \|. 0F84 D1020000 je 004047C3 004044F2 \|. E8 A0F9FFFF call 00403E97 004044F7 \|. 8BC8 mov ecx, eax 004044F9 \|. 2B0D 0C504000 sub ecx, dword ptr [40500C] 004044FF \|. 6A 03 push 3 00404501 \|. 33D2 xor edx, edx 00404503 \|. 8BC1 mov eax, ecx 00404505 \|. 5F pop edi 00404506 \|. F7F7 div edi 00404508 \|. F7C1 0080FFFF test ecx, FFFF8000 0040450E \|. 74 16 je short 00404526 00404510 \|> 85D2 test edx, edx 00404512 \|> 0F84 68030000 je 00404880 00404518 \|. 83FA 01 cmp edx, 1 0040451B \|.^ 0F84 24FDFFFF je 00404245 00404521 \|. E9 39010000 jmp 0040465F 00404526 \|> 8BFE mov edi, esi 00404528 \|. E8 E7F8FFFF call 00403E14 0040452D \|. 03C6 add eax, esi 0040452F \|. 8B08 mov ecx, dword ptr [eax] 00404531 \|. 894424 10 mov dword ptr [esp+10], eax 00404535 \|. 8D70 04 lea esi, dword ptr [eax+4] 00404538 \|. 81F9 78766D00 cmp ecx, 6D7678 0040453E \|. 0F85 8C020000 jnz 004047D0 00404544 \|. 8B06 mov eax, dword ptr [esi] 00404546 \|. 83C6 04 add esi, 4 00404549 \|. 83F8 01 cmp eax, 1 0040454C \|. 0F85 94020000 jnz 004047E6 00404552 \|. 8B06 mov eax, dword ptr [esi] 00404554 \|. 8BF8 mov edi, eax 00404556 \|. 69FF 05840808 imul edi, edi, 8088405 0040455C \|. 83C6 04 add esi, 4 0040455F \|. 8B0E mov ecx, dword ptr [esi] 00404561 \|. 47 inc edi 00404562 \|. 8BD7 mov edx, edi 00404564 \|. 33D0 xor edx, eax 00404566 \|. 83C6 04 add esi, 4 00404569 \|. 3BD1 cmp edx, ecx 0040456B \|. 0F85 8B020000 jnz 004047FC 00404571 \|. 8B0E mov ecx, dword ptr [esi] 00404573 \|. 8BC7 mov eax, edi 00404575 \|. 69C0 05840808 imul eax, eax, 8088405 0040457B \|. 40 inc eax 0040457C \|. 8BD0 mov edx, eax 0040457E \|. 33D7 xor edx, edi 00404580 \|. 83C6 04 add esi, 4 00404583 \|. 3BD1 cmp edx, ecx 00404585 \|. 0F85 87020000 jnz 00404812 0040458B \|. 8B0E mov ecx, dword ptr [esi] 0040458D \|. 69C0 05840808 imul eax, eax, 8088405 00404593 \|. FF7424 1C push dword ptr [esp+1C] ; /BaseAddress 00404597 \|. 40 inc eax ; \| 00404598 \|. 33C8 xor ecx, eax ; \| 0040459A \|. 69C0 05840808 imul eax, eax, 8088405 ; \| 004045A0 \|. 83C6 04 add esi, 4 ; \| 004045A3 \|. 40 inc eax ; \| 004045A4 \|. 3306 xor eax, dword ptr [esi] ; \| 004045A6 \|. 894C24 2C mov dword ptr [esp+2C], ecx ; \| 004045AA \|. 894424 28 mov dword ptr [esp+28], eax ; \| 004045AE \|. FF15 34C04100 call dword ptr [<&KERNEL32.UnmapViewO>; \UnmapViewOfFile 004045B4 \|. FF7424 20 push dword ptr [esp+20] ; /hObject 004045B8 \|. FF15 28C04100 call dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle 004045BE \|. 33C0 xor eax, eax 004045C0 \|. 50 push eax ; /MapName => NULL 004045C1 \|. 50 push eax ; \|MaximumSizeLow => 0 004045C2 \|. 50 push eax ; \|MaximumSizeHigh => 0 004045C3 \|. 6A 08 push 8 ; \|Protection = PAGE_WRITECOPY 004045C5 \|. 50 push eax ; \|pSecurity => NULL 004045C6 \|. FF7424 2C push dword ptr [esp+2C] ; \|hFile 004045CA \|. FF15 30C04100 call dword ptr [<&KERNEL32.CreateFile>; \CreateFileMappingW 004045D0 \|. 894424 20 mov dword ptr [esp+20], eax 004045D4 \|. 85C0 test eax, eax 004045D6 \|. 0F84 4C020000 je 00404828 004045DC \|. 2B7424 10 sub esi, dword ptr [esp+10] 004045E0 \|. 8B4C24 24 mov ecx, dword ptr [esp+24] 004045E4 \|. 83C6 04 add esi, 4 004045E7 \|. 03CE add ecx, esi 004045E9 \|. 034C24 30 add ecx, dword ptr [esp+30] 004045ED \|. 897424 3C mov dword ptr [esp+3C], esi 004045F1 \|. 51 push ecx ; /MapSize 004045F2 \|. 6A 00 push 0 ; \|OffsetLow = 0 004045F4 \|. 6A 00 push 0 ; \|OffsetHigh = 0 004045F6 \|. 6A 01 push 1 ; \|AccessMode = FILE_MAP_COPY 004045F8 \|. 50 push eax ; \|hMapObject 004045F9 \|. FF15 24C04100 call dword ptr [<&KERNEL32.MapViewOfF>; \MapViewOfFile 004045FF \|. 33C9 xor ecx, ecx 00404601 \|. 894424 1C mov dword ptr [esp+1C], eax 00404605 \|. 3BC1 cmp eax, ecx 00404607 \|. 0F84 2B020000 je 00404838 0040460D \|. 8B4424 30 mov eax, dword ptr [esp+30] 00404611 \|. 03C6 add eax, esi 00404613 \|. 034424 1C add eax, dword ptr [esp+1C] 00404617 \|. 8B7424 24 mov esi, dword ptr [esp+24] 0040461B \|. 894424 2C mov dword ptr [esp+2C], eax 0040461F \|. 3BF1 cmp esi, ecx 00404621 \|. 76 17 jbe short 0040463A 00404623 \|> 69FF FD430300 /imul edi, edi, 343FD 00404629 \|. 81C7 C39E2600 \|add edi, 269EC3 0040462F \|. 8BD7 \|mov edx, edi 00404631 \|. C1EA 10 \|shr edx, 10 00404634 \|. 3010 \|xor byte ptr [eax], dl 00404636 \|. 40 \|inc eax 00404637 \|. 4E \|dec esi 00404638 \|.^ 75 E9 \jnz short 00404623 0040463A \|> 8D7424 4C lea esi, dword ptr [esp+4C] 0040463E \|. 894C24 6C mov dword ptr [esp+6C], ecx 00404642 \|. 894C24 70 mov dword ptr [esp+70], ecx 00404646 \|. 894C24 74 mov dword ptr [esp+74], ecx 0040464A \|. 894C24 50 mov dword ptr [esp+50], ecx 0040464E \|. 894C24 4C mov dword ptr [esp+4C], ecx 00404652 \|. E8 D9F6FFFF call 00403D30 00404657 \|. 85C0 test eax, eax 00404659 \|. 0F85 E9010000 jnz 00404848 0040465F \|> 6A 04 /push 4 ; /Protect = PAGE_READWRITE 00404661 \|. 68 00100000 \|push 1000 ; \|AllocationType = MEM_COMMIT 00404666 \|. FF7424 30 \|push dword ptr [esp+30] ; \|Size 0040466A \|. 6A 00 \|push 0 ; \|Address = NULL 0040466C \|. FF15 3CC04100 \|call dword ptr [<&KERNEL32.VirtualAl>; \VirtualAlloc 00404672 \|. 8BF0 \|mov esi, eax 00404674 \|. E8 1EF8FFFF \|call 00403E97 00404679 \|. 8BC8 \|mov ecx, eax 0040467B \|. 2B0D 0C504000 \|sub ecx, dword ptr [40500C] 00404681 \|. 6A 03 \|push 3 00404683 \|. 33D2 \|xor edx, edx 00404685 \|. 8BC1 \|mov eax, ecx 00404687 \|. 5F \|pop edi 00404688 \|. F7F7 \|div edi 0040468A \|. F7C1 0080FFFF \|test ecx, FFFF8000 00404690 \|. 74 12 \|je short 004046A4 00404692 \|. 85D2 \|test edx, edx 00404694 \|. 0F84 E6010000 \|je 00404880 0040469A \|. 83FA 01 \|cmp edx, 1 0040469D \|.^ 75 C0 \jnz short 0040465F 0040469F \|.^ E9 A1FBFFFF jmp 00404245 004046A4 \|> 8B4424 24 mov eax, dword ptr [esp+24] 004046A8 \|. 894424 50 mov dword ptr [esp+50], eax 004046AC \|. 8B4424 2C mov eax, dword ptr [esp+2C] 004046B0 \|. 894424 4C mov dword ptr [esp+4C], eax 004046B4 \|. 8B4424 28 mov eax, dword ptr [esp+28] 004046B8 \|. 894424 5C mov dword ptr [esp+5C], eax 004046BC \|. 8D4424 4C lea eax, dword ptr [esp+4C] 004046C0 \|. 50 push eax 004046C1 \|. 897424 5C mov dword ptr [esp+5C], esi 004046C5 \|. E8 76E7FFFF call 00402E40 004046CA \|. 59 pop ecx 004046CB \|. 83F8 01 cmp eax, 1 004046CE \|. 0F85 8A010000 jnz 0040485E 004046D4 \|. FF7424 1C push dword ptr [esp+1C] ; /BaseAddress 004046D8 \|. FF15 34C04100 call dword ptr [<&KERNEL32.UnmapViewO>; \UnmapViewOfFile 004046DE \|. FF7424 20 push dword ptr [esp+20] ; /hObject 004046E2 \|. FF15 28C04100 call dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle 004046E8 \|. E8 AAF7FFFF call 00403E97 004046ED \|. 8BC8 mov ecx, eax 004046EF \|. 2B0D 0C504000 sub ecx, dword ptr [40500C] 004046F5 \|. 6A 03 push 3 004046F7 \|. 33D2 xor edx, edx 004046F9 \|. 8BC1 mov eax, ecx 004046FB \|. 5F pop edi 004046FC \|. F7F7 div edi 004046FE \|. F7C1 0080FFFF test ecx, FFFF8000 00404704 \|.^ 0F85 06FEFFFF jnz 00404510 0040470A \|. 56 push esi 0040470B \|. E8 4EF8FFFF call 00403F5E 00404710 \|. C70424 008000>mov dword ptr [esp], 8000 ; \| 00404717 \|. FF7424 2C push dword ptr [esp+2C] ; \|Size 0040471B \|. 8BF8 mov edi, eax ; \| 0040471D \|. 56 push esi ; \|Address 0040471E \|. FF15 40C04100 call dword ptr [<&KERNEL32.VirtualFre>; \VirtualFree 00404724 \|. 85FF test edi, edi 00404726 \|. 0F84 00020000 je 0040492C 0040472C \|. 57 push edi 0040472D \|. E8 2FF7FFFF call 00403E61 00404732 \|. 59 pop ecx 00404733 \|. 57 push edi 00404734 \|. E8 8BF7FFFF call 00403EC4 00404739 \|. 59 pop ecx 0040473A \|. 894424 10 mov dword ptr [esp+10], eax 0040473E \|. 85C0 test eax, eax 00404740 \|. 0F85 2E010000 jnz 00404874 00404746 \|. 68 20114000 push 00401120 ; UNICODE "There has been an error starting this virtual appliance. Error code: " 0040474B \|. 8BC3 mov eax, ebx 0040474D \|. E8 B5020000 call 00404A07 00404752 \|. 68 5C134000 push 0040135C ; UNICODE "0x0006" 00404757 \|. E9 C9010000 jmp 00404925 0040475C \|> FF15 20C04100 call dword ptr [<&KERNEL32.GetLastErr>; [GetLastError 00404762 \|. 68 0C114000 push 0040110C ; UNICODE "0x00020: " 00404767 \|> 8DB424 BC0000>lea esi, dword ptr [esp+BC] 0040476E \|. 8BF8 mov edi, eax 00404770 \|. E8 58020000 call 004049CD 00404775 \|. 8BC7 mov eax, edi 00404777 \|. E9 87010000 jmp 00404903 0040477C \|> FFD6 call esi 0040477E \|. 68 EC114000 push 004011EC ; UNICODE "0x00021: " 00404783 \|.^ EB E2 jmp short 00404767 00404785 \|> 68 00124000 push 00401200 ; UNICODE "0x00022: " 0040478A \|. E9 64010000 jmp 004048F3 0040478F \|> FF15 20C04100 call dword ptr [<&KERNEL32.GetLastErr>; [GetLastError 00404795 \|. 68 30124000 push 00401230 ; UNICODE "0x0003: " 0040479A \|.^ EB CB jmp short 00404767 0040479C \|> FF15 20C04100 call dword ptr [<&KERNEL32.GetLastErr>; [GetLastError 004047A2 \|. 68 7C124000 push 0040127C ; UNICODE "0x00040: " 004047A7 \|.^ EB BE jmp short 00404767 004047A9 \|> FF15 20C04100 call dword ptr [<&KERNEL32.GetLastErr>; [GetLastError 004047AF \|. 68 90124000 push 00401290 ; UNICODE "0x00050: " 004047B4 \|.^ EB B1 jmp short 00404767 004047B6 \|> FF15 20C04100 call dword ptr [<&KERNEL32.GetLastErr>; [GetLastError 004047BC \|. 68 A4124000 push 004012A4 ; UNICODE "0x00053: " 004047C1 \|.^ EB A4 jmp short 00404767 004047C3 \|> FF15 20C04100 call dword ptr [<&KERNEL32.GetLastErr>; [GetLastError 004047C9 \|. 68 B8124000 push 004012B8 ; UNICODE "0x00051: " 004047CE \|.^ EB 97 jmp short 00404767 004047D0 \|> 68 20114000 push 00401120 ; UNICODE "There has been an error starting this virtual appliance. Error code: " 004047D5 \|. 8BC3 mov eax, ebx 004047D7 \|. E8 2B020000 call 00404A07 004047DC \|. 68 CC124000 push 004012CC ; UNICODE "0x00E00" 004047E1 \|. E9 3F010000 jmp 00404925 004047E6 \|> 68 20114000 push 00401120 ; UNICODE "There has been an error starting this virtual appliance. Error code: " 004047EB \|. 8BC3 mov eax, ebx 004047ED \|. E8 15020000 call 00404A07 004047F2 \|. 68 DC124000 push 004012DC ; UNICODE "0x00E01" 004047F7 \|. E9 29010000 jmp 00404925 004047FC \|> 68 20114000 push 00401120 ; UNICODE "There has been an error starting this virtual appliance. Error code: " 00404801 \|. 8BC3 mov eax, ebx 00404803 \|. E8 FF010000 call 00404A07 00404808 \|. 68 EC124000 push 004012EC ; UNICODE "0x00E1" 0040480D \|. E9 13010000 jmp 00404925 00404812 \|> 68 20114000 push 00401120 ; UNICODE "There has been an error starting this virtual appliance. Error code: " 00404817 \|. 8BC3 mov eax, ebx 00404819 \|. E8 E9010000 call 00404A07 0040481E \|. 68 FC124000 push 004012FC ; UNICODE "0x00E2" 00404823 \|. E9 FD000000 jmp 00404925 00404828 \|> FF15 20C04100 call dword ptr [<&KERNEL32.GetLastErr>; [GetLastError 0040482E \|. 68 0C134000 push 0040130C ; UNICODE "0x00041: " 00404833 \|.^ E9 2FFFFFFF jmp 00404767 00404838 \|> FF15 20C04100 call dword ptr [<&KERNEL32.GetLastErr>; [GetLastError 0040483E \|. 68 20134000 push 00401320 ; UNICODE "0x00052: " 00404843 \|.^ E9 1FFFFFFF jmp 00404767 00404848 \|> 68 20114000 push 00401120 ; UNICODE "There has been an error starting this virtual appliance. Error code: " 0040484D \|. 8BC3 mov eax, ebx 0040484F \|. E8 B3010000 call 00404A07 00404854 \|. 68 34134000 push 00401334 ; UNICODE "0x00Z1" 00404859 \|. E9 C7000000 jmp 00404925 0040485E \|> 68 20114000 push 00401120 ; UNICODE "There has been an error starting this virtual appliance. Error code: " 00404863 \|. 8BC3 mov eax, ebx 00404865 \|. E8 9D010000 call 00404A07 0040486A \|. 68 44134000 push 00401344 ; UNICODE "0x00Z2" 0040486F \|. E9 B1000000 jmp 00404925 00404874 \|> 6A 00 push 0 ; /pModule = NULL 00404876 \|. FF15 44C04100 call dword ptr [<&KERNEL32.GetModuleH>; \GetModuleHandleA 0040487C \|. 894424 2C mov dword ptr [esp+2C], eax 00404880 \|> 33FF xor edi, edi 00404882 \|. 57 push edi ; /MapName => NULL 00404883 \|. 57 push edi ; \|MaximumSizeLow => 0 00404884 \|. 57 push edi ; \|MaximumSizeHigh => 0 00404885 \|. 6A 02 push 2 ; \|Protection = PAGE_READONLY 00404887 \|. 57 push edi ; \|pSecurity => NULL 00404888 \|. FF7424 2C push dword ptr [esp+2C] ; \|hFile 0040488C \|. FF15 30C04100 call dword ptr [<&KERNEL32.CreateFile>; \CreateFileMappingW 00404892 \|. 8BF0 mov esi, eax 00404894 \|. 3BF7 cmp esi, edi 00404896 \|. 75 10 jnz short 004048A8 00404898 \|. FF15 20C04100 call dword ptr [<&KERNEL32.GetLastErr>; [GetLastError 0040489E \|. 68 6C134000 push 0040136C ; UNICODE "0x00042: " 004048A3 \|.^ E9 BFFEFFFF jmp 00404767 004048A8 \|> 8D4424 40 lea eax, dword ptr [esp+40] 004048AC \|. 50 push eax ; /lpFileSize 004048AD \|. FF7424 1C push dword ptr [esp+1C] ; \|hFile 004048B1 \|. FF15 48C04100 call dword ptr [<&KERNEL32.GetFileSiz>; \GetFileSizeEx 004048B7 \|. FF7424 18 push dword ptr [esp+18] ; /hObject 004048BB \|. FF15 28C04100 call dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle 004048C1 \|. FF7424 38 push dword ptr [esp+38] 004048C5 \|. 8B4C24 28 mov ecx, dword ptr [esp+28] 004048C9 \|. FF7424 38 push dword ptr [esp+38] 004048CD \|. 8B4424 44 mov eax, dword ptr [esp+44] 004048D1 \|. 03C1 add eax, ecx 004048D3 \|. 034424 38 add eax, dword ptr [esp+38] 004048D7 \|. 50 push eax 004048D8 \|. FF7424 50 push dword ptr [esp+50] 004048DC \|. FF7424 50 push dword ptr [esp+50] 004048E0 \|. 56 push esi 004048E1 \|. FF7424 44 push dword ptr [esp+44] 004048E5 \|. FF5424 2C call dword ptr [esp+2C] ; 猛跳，跟进去很难跑出来，就是用自动步入也难跑出。窗口在这里弹出要密码才能进去 004048E9 \|. 83C4 1C add esp, 1C 004048EC \|. EB 61 jmp short 0040494F 004048EE \|> 68 14124000 push 00401214 ; UNICODE "0x00023: " 004048F3 \|> 8DB424 BC0000>lea esi, dword ptr [esp+BC] 004048FA \|. E8 CE000000 call 004049CD 004048FF \|. 8B4424 10 mov eax, dword ptr [esp+10] 00404903 \|> 6A 0A push 0A 00404905 \|. 8D8C24 BC0000>lea ecx, dword ptr [esp+BC] 0040490C \|. E8 56000000 call 00404967 00404911 \|. 68 20114000 push 00401120 ; UNICODE "There has been an error starting this virtual appliance. Error code: " 00404916 \|. 8BC3 mov eax, ebx 00404918 \|. E8 EA000000 call 00404A07 0040491D \|. 8D8424 B80000>lea eax, dword ptr [esp+B8] 00404924 \|. 50 push eax 00404925 \|> 8BF3 mov esi, ebx 00404927 \|. E8 A1000000 call 004049CD 0040492C \|> 68 80134000 push 00401380 ; /ProcNameOrOrdinal = "MessageBoxW" 00404931 \|. 68 8C134000 push 0040138C ; \|/FileName = "user32.dll" 00404936 \|. FF15 50C04100 call dword ptr [<&KERNEL32.LoadLibrar>; \|\LoadLibraryW 0040493C \|. 50 push eax ; \|hModule 0040493D \|. FF15 4CC04100 call dword ptr [<&KERNEL32.GetProcAdd>; \GetProcAddress 00404943 \|. 6A 10 push 10 00404945 \|. 68 A8134000 push 004013A8 ; UNICODE "Xenocode Virtual Appliance Runtime" 0040494A \|. 53 push ebx 0040494B \|. 6A 00 push 0 0040494D \|. FFD0 call eax 0040494F \|> 5F pop edi 00404950 \|. 5E pop esi 00404951 \|. 5B pop ebx 00404952 \|. 8BE5 mov esp, ebp 00404954 \|. 5D pop ebp 00404955 \. C3 retn 00404956 /$ 33C0 xor eax, eax 00404958 \|. 66:3901 cmp word ptr [ecx], ax 0040495B \|. 74 09 je short 00404966 0040495D \|> 40 /inc eax 0040495E \|. 41 \|inc ecx 0040495F \|. 41 \|inc ecx 00404960 \|. 66:8339 00 \|cmp word ptr [ecx], 0 00404964 \|.^ 75 F7 \jnz short 0040495D 00404966 \> C3 retn 00404967 /$ 56 push esi 00404968 \|. 8BB1 14040000 mov esi, dword ptr [ecx+414] 0040496E \|. 57 push edi 0040496F \|> 33D2 /xor edx, edx 00404971 \|. F77424 0C \|div dword ptr [esp+C] 00404975 \|. 8BB9 14040000 \|mov edi, dword ptr [ecx+414] 0040497B \|. 66:8B1455 801>\|mov dx, word ptr [edx2+401080] 00404983 \|. 66:891479 \|mov word ptr [ecx+edi2], dx 00404987 \|. FF81 14040000 \|inc dword ptr [ecx+414] 0040498D \|. 8B91 14040000 \|mov edx, dword ptr [ecx+414] 00404993 \|. 85C0 \|test eax, eax 00404995 \|.^ 77 D8 \ja short 0040496F 00404997 \|. 33C0 xor eax, eax 00404999 \|. 66:890451 mov word ptr [ecx+edx2], ax 0040499D \|. 8B81 14040000 mov eax, dword ptr [ecx+414] 004049A3 \|. EB 11 jmp short 004049B6 004049A5 \|> 0FB71471 /movzx edx, word ptr [ecx+esi2] 004049A9 \|. 66:8B3C41 \|mov di, word ptr [ecx+eax2] 004049AD \|. 66:893C71 \|mov word ptr [ecx+esi2], di 004049B1 \|. 66:891441 \|mov word ptr [ecx+eax2], dx 004049B5 \|. 46 \|inc esi 004049B6 \|> 48 dec eax 004049B7 \|. 3BF0 \|cmp esi, eax 004049B9 \|.^ 72 EA \jb short 004049A5 004049BB \|. 5F pop edi 004049BC \|. 5E pop esi 004049BD \. C2 0400 retn 4 004049C0 . 83A0 14040000>and dword ptr [eax+414], 0 004049C7 . 33C9 xor ecx, ecx 004049C9 . 66:8908 mov word ptr [eax], cx 004049CC . C3 retn 004049CD /$ 8B4C24 04 mov ecx, dword ptr [esp+4] 004049D1 \|. 57 push edi 004049D2 \|. E8 7FFFFFFF call 00404956 004049D7 \|. FF7424 08 push dword ptr [esp+8] 004049DB \|. 8BF8 mov edi, eax 004049DD \|. 8B86 14040000 mov eax, dword ptr [esi+414] 004049E3 \|. 8D143F lea edx, dword ptr [edi+edi] 004049E6 \|. 8D0446 lea eax, dword ptr [esi+eax2] 004049E9 \|. E8 85000000 call 00404A73 004049EE \|. 8B86 14040000 mov eax, dword ptr [esi+414] 004049F4 \|. 59 pop ecx 004049F5 \|. 03C7 add eax, edi 004049F7 \|. 33C9 xor ecx, ecx 004049F9 \|. 66:890C46 mov word ptr [esi+eax*2], cx 004049FD \|. 01BE 14040000 add dword ptr [esi+414], edi 00404A03 \|. 5F pop edi 00404A04 \. C2 0400 retn 4 00404A07 /$ 56 push esi 00404A08 \|. FF7424 08 push dword ptr [esp+8] 00404A0C \|. 8BF0 mov esi, eax 00404A0E \|. 83A6 14040000>and dword ptr [esi+414], 0 00404A15 \|. 33C0 xor eax, eax 00404A17 \|. 66:8906 mov word ptr [esi], ax 00404A1A \|. E8 AEFFFFFF call 004049CD 00404A1F \|. 5E pop esi 00404A20 \. C2 0400 retn 4 00404A23 /$ 56 push esi 00404A24 \|. FF7424 08 push dword ptr [esp+8] 00404A28 \|. 8BF0 mov esi, eax 00404A2A \|. 83A6 14040000>and dword ptr [esi+414], 0 00404A31 \|. 33C0 xor eax, eax 00404A33 \|. 66:8906 mov word ptr [esi], ax 00404A36 \|. E8 92FFFFFF call 004049CD 00404A3B \|. 8BC6 mov eax, esi 00404A3D \|. 5E pop esi 00404A3E \. C2 0400 retn 4 00404A41 /$ 33C0 xor eax, eax 00404A43 \|. 3801 cmp byte ptr [ecx], al 00404A45 \|. 74 07 je short 00404A4E 00404A47 \|> 40 /inc eax 00404A48 \|. 41 \|inc ecx 00404A49 \|. 8039 00 \|cmp byte ptr [ecx], 0 00404A4C \|.^ 75 F9 \jnz short 00404A47 00404A4E \> C3 retn 00404A4F /$ 03D1 add edx, ecx 00404A51 \|. 33C0 xor eax, eax 00404A53 \|. 3BCA cmp ecx, edx 00404A55 \|. 74 1B je short 00404A72 00404A57 \|. 56 push esi 00404A58 \|. BE 54134000 mov esi, 00401354 ; ASCII "RunVM" 00404A5D \|. 2BF1 sub esi, ecx 00404A5F \|. 57 push edi 00404A60 \|> 0FB63C0E /movzx edi, byte ptr [esi+ecx] 00404A64 \|. 0FB601 \|movzx eax, byte ptr [ecx] 00404A67 \|. 2BC7 \|sub eax, edi 00404A69 \|. 75 05 \|jnz short 00404A70 00404A6B \|. 41 \|inc ecx 00404A6C \|. 3BCA \|cmp ecx, edx 00404A6E \|.^ 75 F0 \jnz short 00404A60 00404A70 \|> 5F pop edi 00404A71 \|. 5E pop esi 00404A72 \> C3 retn 00404A73 /$ 56 push esi 00404A74 \|. 8D3410 lea esi, dword ptr [eax+edx] 00404A77 \|. 8BC8 mov ecx, eax 00404A79 \|. 3BC6 cmp eax, esi 00404A7B \|. 74 12 je short 00404A8F 00404A7D \|. 57 push edi 00404A7E \|. 8B7C24 0C mov edi, dword ptr [esp+C] 00404A82 \|. 2BF8 sub edi, eax 00404A84 \|> 8A140F /mov dl, byte ptr [edi+ecx] 00404A87 \|. 8811 \|mov byte ptr [ecx], dl 00404A89 \|. 41 \|inc ecx 00404A8A \|. 3BCE \|cmp ecx, esi 00404A8C \|.^ 75 F6 \jnz short 00404A84 00404A8E \|. 5F pop edi 00404A8F \|> 5E pop esi 00404A90 \. C3 retn 00404A91 . FF7424 04 push dword ptr [esp+4] ; /pMemory 00404A95 . 6A 00 push 0 ; \|Flags = 0 00404A97 . FF15 04C04100 call dword ptr [<&KERNEL32.GetProcess>; \|[GetProcessHeap 00404A9D . 50 push eax ; \|hHeap 00404A9E . FF15 08C04100 call dword ptr [<&KERNEL32.HeapFree>] ; \HeapFree 00404AA4 . C3 retn 00404AA5 . FF7424 04 push dword ptr [esp+4] ; /dwBytes 00404AA9 . 6A 00 push 0 ; \|dwFlags = 0 00404AAB . FF15 04C04100 call dword ptr [<&KERNEL32.GetProcess>; \|[GetProcessHeap 00404AB1 . 50 push eax ; \|hHeap 00404AB2 . FF15 00C04100 call dword ptr [<&KERNEL32.HeapAlloc>>; \RtlAllocateHeap 00404AB8 . C3 retn 00404AB9 CC int3 00404ABA CC int3 00404ABB CC int3 00404ABC E4 db E4 00404ABD 4A db 4A ; CHAR 'J' 00404ABE 00 db 00 00404ABF 00 db 00 00404AC0 00 db 00 00404AC1 00 db 00 00404AC2 00 db 00 00404AC3 00 db 00 00404AC4 00 db 00 00404AC5 00 db 00 00404AC6 00 db 00 00404AC7 00 db 00 00404AC8 B6 db B6 00404AC9 4C db 4C ; CHAR 'L' 00404ACA 00 db 00 00404ACB 00 db 00 00404ACC 00 db 00 00404ACD 10 db 10 00404ACE 00 db 00 00404ACF 00 db 00 00404AD0 00 db 00 00404AD1 00 db 00 00404AD2 00 db 00 00404AD3 00 db 00 00404AD4 00 db 00 00404AD5 00 db 00 00404AD6 00 db 00 00404AD7 00 db 00 00404AD8 00 db 00 00404AD9 00 db 00 00404ADA 00 db 00 00404ADB 00 db 00 00404ADC 00 db 00 00404ADD 00 db 00 00404ADE 00 db 00 00404ADF 00 db 00 00404AE0 00 db 00 00404AE1 00 db 00 00404AE2 00 db 00 00404AE3 00 db 00 00404AE4 . 3C 4B 00 ascii "<K",0 00404AE7 00 db 00 00404AE8 . 48 4B 00 ascii "HK",0 00404AEB 00 db 00 00404AEC . 5A 4B 00 ascii "ZK",0 00404AEF 00 db 00 00404AF0 . 66 4B 00 ascii "fK",0 00404AF3 00 db 00 00404AF4 . 76 4B 00 ascii "vK",0 00404AF7 00 db 00 00404AF8 8C db 8C 00404AF9 4B db 4B ; CHAR 'K' 00404AFA 00 db 00 00404AFB 00 db 00 00404AFC A6 db A6 00404AFD 4B db 4B ; CHAR 'K' 00404AFE 00 db 00 00404AFF 00 db 00 00404B00 BC db BC 00404B01 4B db 4B ; CHAR 'K' 00404B02 00 db 00 00404B03 00 db 00 00404B04 D0 db D0 00404B05 4B db 4B ; CHAR 'K' 00404B06 00 db 00 00404B07 00 db 00 00404B08 E0 db E0 00404B09 4B db 4B ; CHAR 'K' 00404B0A 00 db 00 00404B0B 00 db 00 00404B0C F0 db F0 00404B0D 4B db 4B ; CHAR 'K' 00404B0E 00 db 00 00404B0F 00 db 00 00404B10 FE db FE 00404B11 4B db 4B ; CHAR 'K' 00404B12 00 db 00 00404B13 00 db 00 00404B14 0C db 0C 00404B15 4C db 4C ; CHAR 'L' 00404B16 00 db 00 00404B17 00 db 00 00404B18 . 22 4C 00 ascii ""L",0 00404B1B 00 db 00 00404B1C . 34 4C 00 ascii "4L",0 00404B1F 00 db 00 00404B20 . 52 4C 00 ascii "RL",0 00404B23 00 db 00 00404B24 . 62 4C 00 ascii "bL",0 00404B27 00 db 00 00404B28 . 70 4C 00 ascii "pL",0 00404B2B 00 db 00 00404B2C 84 db 84 00404B2D 4C db 4C ; CHAR 'L' 00404B2E 00 db 00 00404B2F 00 db 00 00404B30 94 db 94 00404B31 4C db 4C ; CHAR 'L' 00404B32 00 db 00 00404B33 00 db 00 00404B34 A6 db A6 00404B35 4C db 4C ; CHAR 'L' 00404B36 00 db 00 00404B37 00 db 00 00404B38 00 db 00 00404B39 00 db 00 00404B3A 00 db 00 00404B3B 00 db 00 00404B3C 9D db 9D 00404B3D . 02 db 02 00404B3E . 48 65 ascii "He" 00404B40 . 61 70 41 6C 6>ascii "apAlloc",0 00404B48 23 db 23 ; CHAR '#' 00404B49 . 02 db 02 00404B4A . 47 65 ascii "Ge" 00404B4C . 74 50 72 6F 6>ascii "tProcessHeap",0 00404B59 00 db 00 00404B5A A1 db A1 00404B5B . 02 db 02 00404B5C . 48 65 ascii "He" 00404B5E . 61 70 46 72 6>ascii "apFree",0 00404B65 00 db 00 00404B66 66 db 66 ; CHAR 'f' 00404B67 . 02 db 02 00404B68 . 47 65 ascii "Ge" 00404B6A . 74 54 69 63 6>ascii "tTickCount",0 00404B75 00 db 00 00404B76 F5 db F5 00404B77 01 db 01 00404B78 . 47 65 74 4D 6>ascii "GetModuleFileNam" 00404B88 . 65 57 00 ascii "eW",0 00404B8B 00 db 00 00404B8C D1 db D1 00404B8D . 03 db 03 00404B8E . 53 65 74 ascii "Set" 00404B91 . 45 6E 76 69 7>ascii "EnvironmentVaria" 00404BA1 . 62 6C 65 57 0>ascii "bleW",0 00404BA6 AA db AA 00404BA7 01 db 01 00404BA8 . 47 65 74 43 7>ascii "GetCurrentProces" 00404BB8 . 73 49 64 00 ascii "sId",0 00404BBC 2C db 2C ; CHAR ',' 00404BBD . 03 db 03 00404BBE . 4F 70 65 ascii "Ope" 00404BC1 . 6E 46 69 6C 6>ascii "nFileMappingW",0 00404BCF 00 db 00 00404BD0 E6 db E6 00404BD1 01 db 01 00404BD2 . 47 65 74 4C 6>ascii "GetLastError",0 00404BDF 00 db 00 00404BE0 0A db 0A 00404BE1 . 03 db 03 00404BE2 . 4D 61 70 ascii "Map" 00404BE5 . 56 69 65 77 4>ascii "ViewOfFile",0 00404BF0 43 db 43 ; CHAR 'C' 00404BF1 00 db 00 00404BF2 . 43 6C 6F 73 6>ascii "CloseHandle",0 00404BFE 7F db 7F 00404BFF 00 db 00 00404C00 . 43 72 65 61 7>ascii "CreateFileW",0 00404C0C 7C db 7C ; CHAR '\|' 00404C0D 00 db 00 00404C0E . 43 72 65 61 7>ascii "CreateFileMappin" 00404C1E . 67 57 00 ascii "gW",0 00404C21 00 db 00 00404C22 41 db 41 ; CHAR 'A' 00404C23 . 04 db 04 00404C24 . 55 6E 6D 61 ascii "Unma" 00404C28 . 70 56 69 65 7>ascii "pViewOfFile",0 00404C34 D0 db D0 00404C35 01 db 01 00404C36 . 47 65 74 46 6>ascii "GetFileInformati" 00404C46 . 6F 6E 42 79 4>ascii "onByHandle",0 00404C51 00 db 00 00404C52 54 db 54 ; CHAR 'T' 00404C53 . 04 db 04 00404C54 . 56 69 72 74 ascii "Virt" 00404C58 . 75 61 6C 41 6>ascii "ualAlloc",0 00404C61 00 db 00 00404C62 57 db 57 ; CHAR 'W' 00404C63 . 04 db 04 00404C64 . 56 69 72 74 ascii "Virt" 00404C68 . 75 61 6C 46 7>ascii "ualFree",0 00404C70 F6 db F6 00404C71 01 db 01 00404C72 . 47 65 74 4D 6>ascii "GetModuleHandleA" 00404C82 . 00 ascii 0 00404C83 00 db 00 00404C84 D5 db D5 00404C85 01 db 01 00404C86 . 47 65 74 46 6>ascii "GetFileSizeEx",0 00404C94 20 db 20 ; CHAR ' ' 00404C95 . 02 db 02 00404C96 . 47 65 ascii "Ge" 00404C98 . 74 50 72 6F 6>ascii "tProcAddress",0 00404CA5 00 db 00 00404CA6 F4 db F4 00404CA7 . 02 db 02 00404CA8 . 4C 6F ascii "Lo" 00404CAA . 61 64 4C 69 6>ascii "adLibraryW",0 00404CB5 00 db 00 00404CB6 . 4B 45 52 4E 4>ascii "KERNEL32.dll",0 00404CC3 00 db 00 请网友指点在那里下断密码输入跳转 2010-12-20 19:30 0
杨氏雪币： 25 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 20 粉丝 0 关注私信	杨氏 20 楼 004048E5 \|. FF5424 2C call dword ptr [esp+2C]-------------猛跳，跟进去很难跑出来，就是用自动步入也难跑出。窗口在这里弹出要密码才能进去 004048E9 \|. 83C4 1C add esp, 1C---------------------窗口跳出要输入密码才能进真正的软件。如果密码不对就进不去。也没有什么断点可以下，下不了 004048EC \|. EB 61 jmp short 0040494F 004048EE \|> 68 14124000 push 00401214 ; UNICODE "0x00023: " 004048F3 \|> 8DB424 BC0000>lea esi, dword ptr [esp+BC] 004048FA \|. E8 CE000000 call 004049CD 004048FF \|. 8B4424 10 mov eax, dword ptr [esp+10] 00404903 \|> 6A 0A push 0A 00404905 \|. 8D8C24 BC0000>lea ecx, dword ptr [esp+BC] 0040490C \|. E8 56000000 call 00404967 00404911 \|. 68 20114000 push 00401120 ; UNICODE "There has been an error starting this virtual appliance. Error code: " 00404916 \|. 8BC3 mov eax, ebx 00404918 \|. E8 EA000000 call 00404A07不知道在那里下断点。下密码断点也不可以。下窗口也不可以。现在这个代码应该是关键下断的。 0040491D \|. 8D8424 B80000>lea eax, dword ptr [esp+B8] 00404924 \|. 50 push eax 00404925 \|> 8BF3 mov esi, ebx 00404927 \|. E8 A1000000 call 004049CD 0040492C \|> 68 80134000 push 00401380 ; /ProcNameOrOrdinal = "MessageBoxW" 00404931 \|. 68 8C134000 push 0040138C ; \|/FileName = "user32.dll" 00404936 \|. FF15 50C04100 call dword ptr [<&KERNEL32.LoadLibrar>; \|\LoadLibraryW 0040493C \|. 50 push eax ; \|hModule 0040493D \|. FF15 4CC04100 call dword ptr [<&KERNEL32.GetProcAdd>; \GetProcAddress 00404943 \|. 6A 10 push 10 00404945 \|. 68 A8134000 push 004013A8 ; UNICODE "Xenocode Virtual Appliance Runtime" 0040494A \|. 53 push ebx 0040494B \|. 6A 00 push 0 0040494D \|. FFD0 call eax 0040494F \|> 5F pop edi 00404950 \|. 5E pop esi 00404951 \|. 5B pop ebx 00404952 \|. 8BE5 mov esp, ebp 00404954 \|. 5D pop ebp 00404955 \. C3 retn 00404956 /$ 33C0 xor eax, eax 00404958 \|. 66:3901 cmp word ptr [ecx], ax 0040495B \|. 74 09 je short 00404966 0040495D \|> 40 /inc eax 0040495E \|. 41 \|inc ecx 0040495F \|. 41 \|inc ecx 00404960 \|. 66:8339 00 \|cmp word ptr [ecx], 0 00404964 \|.^ 75 F7 \jnz short 0040495D 00404966 \> C3 retn 00404967 /$ 56 push esi 00404968 \|. 8BB1 14040000 mov esi, dword ptr [ecx+414] 0040496E \|. 57 push edi 0040496F \|> 33D2 /xor edx, edx 00404971 \|. F77424 0C \|div dword ptr [esp+C] 00404975 \|. 8BB9 14040000 \|mov edi, dword ptr [ecx+414] 0040497B \|. 66:8B1455 801>\|mov dx, word ptr [edx2+401080] 00404983 \|. 66:891479 \|mov word ptr [ecx+edi2], dx 00404987 \|. FF81 14040000 \|inc dword ptr [ecx+414] 0040498D \|. 8B91 14040000 \|mov edx, dword ptr [ecx+414] 00404993 \|. 85C0 \|test eax, eax 00404995 \|.^ 77 D8 \ja short 0040496F 00404997 \|. 33C0 xor eax, eax 00404999 \|. 66:890451 mov word ptr [ecx+edx2], ax 0040499D \|. 8B81 14040000 mov eax, dword ptr [ecx+414] 004049A3 \|. EB 11 jmp short 004049B6 004049A5 \|> 0FB71471 /movzx edx, word ptr [ecx+esi2] 004049A9 \|. 66:8B3C41 \|mov di, word ptr [ecx+eax2] 004049AD \|. 66:893C71 \|mov word ptr [ecx+esi2], di 004049B1 \|. 66:891441 \|mov word ptr [ecx+eax2], dx 004049B5 \|. 46 \|inc esi 004049B6 \|> 48 dec eax 004049B7 \|. 3BF0 \|cmp esi, eax 004049B9 \|.^ 72 EA \jb short 004049A5 004049BB \|. 5F pop edi 004049BC \|. 5E pop esi 004049BD \. C2 0400 retn 4 004049C0 . 83A0 14040000>and dword ptr [eax+414], 0 004049C7 . 33C9 xor ecx, ecx 004049C9 . 66:8908 mov word ptr [eax], cx 004049CC . C3 retn 004049CD /$ 8B4C24 04 mov ecx, dword ptr [esp+4] 004049D1 \|. 57 push edi 004049D2 \|. E8 7FFFFFFF call 00404956 004049D7 \|. FF7424 08 push dword ptr [esp+8] 004049DB \|. 8BF8 mov edi, eax 004049DD \|. 8B86 14040000 mov eax, dword ptr [esi+414] 004049E3 \|. 8D143F lea edx, dword ptr [edi+edi] 004049E6 \|. 8D0446 lea eax, dword ptr [esi+eax2] 004049E9 \|. E8 85000000 call 00404A73 004049EE \|. 8B86 14040000 mov eax, dword ptr [esi+414] 004049F4 \|. 59 pop ecx 004049F5 \|. 03C7 add eax, edi 004049F7 \|. 33C9 xor ecx, ecx 004049F9 \|. 66:890C46 mov word ptr [esi+eax*2], cx 004049FD \|. 01BE 14040000 add dword ptr [esi+414], edi 00404A03 \|. 5F pop edi 00404A04 \. C2 0400 retn 4 00404A07 /$ 56 push esi 00404A08 \|. FF7424 08 push dword ptr [esp+8] 00404A0C \|. 8BF0 mov esi, eax 00404A0E \|. 83A6 14040000>and dword ptr [esi+414], 0 00404A15 \|. 33C0 xor eax, eax 00404A17 \|. 66:8906 mov word ptr [esi], ax 00404A1A \|. E8 AEFFFFFF call 004049CD 00404A1F \|. 5E pop esi 00404A20 \. C2 0400 retn 4 00404A23 /$ 56 push esi 00404A24 \|. FF7424 08 push dword ptr [esp+8] 00404A28 \|. 8BF0 mov esi, eax 00404A2A \|. 83A6 14040000>and dword ptr [esi+414], 0 00404A31 \|. 33C0 xor eax, eax 00404A33 \|. 66:8906 mov word ptr [esi], ax 00404A36 \|. E8 92FFFFFF call 004049CD 00404A3B \|. 8BC6 mov eax, esi 00404A3D \|. 5E pop esi 00404A3E \. C2 0400 retn 4 00404A41 /$ 33C0 xor eax, eax 00404A43 \|. 3801 cmp byte ptr [ecx], al 00404A45 \|. 74 07 je short 00404A4E 00404A47 \|> 40 /inc eax 00404A48 \|. 41 \|inc ecx 00404A49 \|. 8039 00 \|cmp byte ptr [ecx], 0 00404A4C \|.^ 75 F9 \jnz short 00404A47 00404A4E \> C3 retn 00404A4F /$ 03D1 add edx, ecx 00404A51 \|. 33C0 xor eax, eax 00404A53 \|. 3BCA cmp ecx, edx 00404A55 \|. 74 1B je short 00404A72 00404A57 \|. 56 push esi 00404A58 \|. BE 54134000 mov esi, 00401354 ; ASCII "RunVM" 00404A5D \|. 2BF1 sub esi, ecx 00404A5F \|. 57 push edi 00404A60 \|> 0FB63C0E /movzx edi, byte ptr [esi+ecx] 00404A64 \|. 0FB601 \|movzx eax, byte ptr [ecx] 00404A67 \|. 2BC7 \|sub eax, edi 00404A69 \|. 75 05 \|jnz short 00404A70 00404A6B \|. 41 \|inc ecx 00404A6C \|. 3BCA \|cmp ecx, edx 00404A6E \|.^ 75 F0 \jnz short 00404A60 00404A70 \|> 5F pop edi 00404A71 \|. 5E pop esi 00404A72 \> C3 retn 00404A73 /$ 56 push esi 00404A74 \|. 8D3410 lea esi, dword ptr [eax+edx] 00404A77 \|. 8BC8 mov ecx, eax 00404A79 \|. 3BC6 cmp eax, esi 00404A7B \|. 74 12 je short 00404A8F 00404A7D \|. 57 push edi 00404A7E \|. 8B7C24 0C mov edi, dword ptr [esp+C] 00404A82 \|. 2BF8 sub edi, eax 00404A84 \|> 8A140F /mov dl, byte ptr [edi+ecx] 00404A87 \|. 8811 \|mov byte ptr [ecx], dl 00404A89 \|. 41 \|inc ecx 00404A8A \|. 3BCE \|cmp ecx, esi 00404A8C \|.^ 75 F6 \jnz short 00404A84 00404A8E \|. 5F pop edi 00404A8F \|> 5E pop esi 00404A90 \. C3 retn 00404A91 . FF7424 04 push dword ptr [esp+4] ; /pMemory 00404A95 . 6A 00 push 0 ; \|Flags = 0 00404A97 . FF15 04C04100 call dword ptr [<&KERNEL32.GetProcess>; \|[GetProcessHeap 00404A9D . 50 push eax ; \|hHeap 00404A9E . FF15 08C04100 call dword ptr [<&KERNEL32.HeapFree>] ; \HeapFree 00404AA4 . C3 retn 00404AA5 . FF7424 04 push dword ptr [esp+4] ; /dwBytes 00404AA9 . 6A 00 push 0 ; \|dwFlags = 0 00404AAB . FF15 04C04100 call dword ptr [<&KERNEL32.GetProcess>; \|[GetProcessHeap 00404AB1 . 50 push eax ; \|hHeap 00404AB2 . FF15 00C04100 call dword ptr [<&KERNEL32.HeapAlloc>>; \RtlAllocateHeap 00404AB8 . C3 retn 00404AB9 CC int3 00404ABA CC int3 00404ABB CC int3 软件是在华军网站下载的http://www.newhua.com/soft/66790.htm 不知道在那里下断点。下密码断点也不可以。下窗口也不可以。现在这个代码应该是关键下断的。我试了几次都不可以。迷茫呀。请网友指点一下我这个菜鸟吧。看过的客官给点意见吧 2010-12-21 21:34 0
易天雪币： 126 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 16 粉丝 0 关注私信	易天 21 楼完全看不懂~~~哎呀~~ 2010-12-22 00:07 0
wjwqp 雪币： 201 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 2 粉丝 0 关注私信	wjwqp 22 楼学习关注中。。。 2010-12-22 00:52 0
杨氏雪币： 25 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 20 粉丝 0 关注私信	杨氏 23 楼汗......... ybhdgggset 网友指点指点是NET软件之类的我在网上加了一个网友再经他指点才知道是用Xenocode 2008混编写的。折腾了大半个月时间在徘徊。用OD是很难调试出来的，要用C32Asm和NET之类的调试现在是知道我是不能PJ的了。哎，我菜的很，不过我上班的时候有时间。就再捣鼓捣鼓吧。还没有脱壳。那位网友也不能脱，只好再找找资料再折腾一番吧。有这类脱壳经验的网友希望你们能指点一下。 2010-12-22 22:56 0
空佑雪币： 156 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 75 粉丝 0 关注私信	空佑 24 楼围观中。。。 2010-12-23 08:48 0
杨氏雪币： 25 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 20 粉丝 0 关注私信	杨氏 25 楼还是没有捣鼓出来。用工具脱壳后用OD调试跑飞了。还是要手工脱壳呀。看了不少这样的文章，也有很大的收获。在这感谢看看的大大们。是您们无私的贡献出来破文我才看见一点这个软件的苗头。革命尚未成功。只能在努力了。看不能写出来第一篇破文出来。看着大大们写出来的文章实在是受用，谢谢！ 2010-12-26 04:18 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复